BugZero | VMware BugID 85851 - vRealize Log Insight Agents don't handle expired W...

VMware - Defect ID: 85851

vRealize Log Insight Agents don't handle expired Windows CA root certificates correctly

VMware - Defect ID: 85851

vRealize Log Insight Agents don't handle expired Windows CA root certificates correctly

Last updated on 5/18/2022

Overall: 0N/A

Severity: 0N/A

Community: 0N/A

Lifecycle: 0N/A

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 0N/A

Severity: 0N/A

Community: 0N/A

Lifecycle: 0N/A

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptoms

When there is an expired certificate and a valid certificate in Trusted Root Certification Authorities of the Windows client machine, the vRealize Log Insight Agent will not be able to differentiate it and can use the expired one. If the vRealize Log Insight agent uses the expired certificate, the communication between the Agent and Server will be broken. On the Windows client machine, under C:\ProgramData\VMware\Log Insight Agent\log\liagent_<date>.log, you see errors similar to: 2021-08-11 18:33:56.404452 0x00001a28 <trace> CFApiTransport:128 | Re-connecting to server syslog.domain.local:95432021-08-11 18:33:56.435707 0x00001a28 <warng> SSLVerifyContex:165| Certificate pre-verify error = 10 while trying connect to 'syslog.domain.local'. certificate has expired2021-08-11 18:33:56.435707 0x00001a28 <error> CurlConnection:723 | Transport error while trying to connect to 'syslog.domain.local': SSL peer certificate or SSH remote key was not OK2021-08-11 18:33:56.435707 0x00001a28 <trace> CFApiTransport:108 | Postponing connection to syslog.domain.local:9543 by 247 sec.2021-08-11 18:38:15.165892 0x00001a28 <trace> CFApiTransport:128 | Re-connecting to server syslog.domain.local:95432021-08-11 18:38:15.197138 0x00001a28 <warng> SSLVerifyContex:165| Certificate pre-verify error = 10 while trying connect to 'syslog.domain.local'. certificate has expired2021-08-11 18:38:15.197138 0x00001a28 <error> CurlConnection:723 | Transport error while trying to connect to 'syslog.domain.local': SSL peer certificate or SSH remote key was not OKNote: The preceding log excerpts are only examples. Date, time, and environmental variables will vary depending on your environment.

Purpose

This article provides steps that help the vRealize Log Insight agent handle expired Windows CA root certificates correctly.

Resolution

This is a known issue affecting vRealize Log Insight 8.x, there is no resolution at this time. Please subscribe to this article to be informed when updates are published.

Workaround

To workaround this issue, use either of the following two options:Option 1:Set ssl_accept_any=yes and ssl_accept_any_trusted=yes. This will enable the LI Agent to trust the certificate even with the expired root CAOption 2:Create a separate truststore with the valid root CA only, and point LI Agent to it using the ssl_ca_path propertyAll options are described in detail at https://docs.vmware.com/en/vRealize-Log-Insight/8.4/com.vmware.log-insight.administration.doc/GUID-D0727922-91E8-4352-B909-7595254620C5.html

Original Vendor Announcement

No bugs this month

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

VMware - Defect ID: 85851

vRealize Log Insight Agents don't handle expired Windows CA root certificates correctly

VMware - Defect ID: 85851

vRealize Log Insight Agents don't handle expired Windows CA root certificates correctly

Last updated on 5/18/2022

Vendor details

Vendor details

Description

Symptoms

Purpose

Resolution

Workaround

Links

Top VMware defects by risk score

Ready to prevent the next vendor outage?