Troubleshooting Tanzu Salt SaaS setup

Read about some errors you might encounter while configuring Tanzu Salt and how to fix them.

You do not see the master key in the Pending tab

You do not see the master key in the Pending tab in the Administration workspace in Tanzu Salt.

Cause

These symptoms might be caused for several reasons: - The sseapi_server value in the /etc/salt/master.d/cloud.conf file is incorrect. The cloud.conf file points to your Tanzu Salt instance. - Your Salt master cannot communicate with Tanzu Salt because it is still connected to your on-premises deployment. The sseapi_server value in the /etc/salt/master.d/raas.conf file takes precedence over the sseapi_server value in the cloud.conf file.

Solution

Verify that the sseapi_server value in the cloud.conf file matches the ssc_url value for your region.
Verify that the sseapi_server value in the raas.conf file is commented out.
Re-run the sseapi-config join command.

You see access error messages after you run the `sseapi-config join` command

You see access error messages after you run the sseapi-config join command.

CSP access token must have at least one of the following roles:
[['csp:org_owner', 'csp:org_admin']]

Cause

These symptoms might occur if you do not have the organization roles that are required to connect your Salt master to Tanzu Salt.

Solution

Contact your Organization administrator to assign you the required roles.

You see an error message after running `sseapi-config join`

You see a command not found error message after you run the sseapi-config join command.

sseapi-config: command not found

Cause

These symptoms might be caused if the sseapi-config command is not in your path.

Solution

Check the /usr/local/bin directory for the sseapi-config command. If the command is there, add the /usr/local/bin directory to your path.

You see an error message after running `sseapi-config auth`

You see the error Nonce decryption failed (raas pubkey mismatch or malformed nonce) when you run sseapi-config auth on your salt-master.

sseapi-config: Nonce decryption failed (raas pubkey mismatch or malformed nonce)

Cause

The salt-master has cached the wrong RaaS authentication key in the file system. This can happen when a salt-master is setup to authenticate to a RaaS instance and then reconfigured to authenticate to a different instance.

Solution

Remove the file /etc/salt/pki/master/raas_key.pub.
Re-run the sseapi-config auth command.
Accept the master key in the user interface.

You see an error message after running `sseapi-config auth`

You see the error Invalid nonce (likely salt-master key mismatch) when you run sseapi-config auth on your salt-master.

sseapi-config: Invalid nonce (likely salt-master key mismatch)

Cause

The salt-master is attempting to authenticate to RaaS using a different key from the one that was accepted previously.

Solution

Remove the old master key in the user interface. The salt-master will submit its new key for acceptance.
Accept the new master key in the user interface.

Troubleshooting Tanzu Salt SaaS setup

You do not see the master key in the Pending tab

Cause

Solution

You see access error messages after you run the sseapi-config join command

Cause

Solution

You see an error message after running sseapi-config join

Cause

Solution

You see an error message after running sseapi-config auth

Cause

Solution

You see an error message after running sseapi-config auth

Cause

Solution

You see access error messages after you run the `sseapi-config join` command

You see an error message after running `sseapi-config join`

You see an error message after running `sseapi-config auth`

You see an error message after running `sseapi-config auth`