The VMware Aria Operations for Logs Agents reject self-signed certificate.

Problem

A VMware Aria Operations for Logs agent rejects self-signed certificate and cannot establish a connection with the server.

Note: If you experience connection problems with the agent, you can generate detailed logs to check by changing the debug level for the agent to 1. For more information, see Define Log Details Level in the VMware Aria Operations for Logs Agents.

Cause

The messages you see in the agent log have specific causes.

Message Cause
Rejecting peer self-signed certificate. Public key doesn't match previously stored certificate's key.
  • This might happen when theVMware Aria Operations for Logs certificate is replaced.
  • This might happen if the HA-enabled in-cluster environment is configured with different self-signed certificates on VMware Aria Operations for Logs nodes.
Rejecting peer self-signed certificate. Have a previously received certificate which is signed by trusted CA. There is a CA-signed certificate stored on the agent side.

Solution

  • Verify whether your target host name is a trusted VMware Aria Operations for Logs instance, and then manually delete the previous certificate from VMware Aria Operations for Logs Agent cert directory.
    • For VMware Aria Operations for Logs Windows Agent, go to C:\ProgramData\VMware\Log Insight Agent\cert.
    • For VMware Aria Operations for Logs Linux Agent, go to /var/lib/loginsight-agent/cert.
    Note: Some platforms might use nonstandard paths for storing trusted certificates. The VMware Aria Operations for Logs Agents have an option to configure the path to trusted certificates store by setting the ssl_ca_path=<fullpath> configuration parameter. Replace <fullpath> with the path to the trusted root certificates bundle file. See Configure the SSL Parameters.