Log Insight Agents Reject Self-Signed Certificates

The Log Insight Agents reject self-signed certificate.

Problem

A vRealize Log Insight agent rejects self-signed certificate and cannot establish a connection with the server.

Note: If you experience connection problems with the agent, you can generate detailed logs to check by changing the debug level for the agent to 1. For more information, see Define Log Details Level in the Log Insight Agents.

Cause

The messages you see in the agent log have specific causes.


Message	Cause
`Rejecting peer self-signed certificate. Public key doesn't match previously stored certificate's key.`	This might happen when thevRealize Log Insight certificate is replaced. This might happen if the HA-enabled in-cluster environment is configured with different self-signed certificates on vRealize Log Insight nodes.
`Rejecting peer self-signed certificate. Have a previously received certificate which is signed by trusted CA.`	There is a CA-signed certificate stored on the agent side.

Solution

♦ Verify whether your target host name is a trusted vRealize Log Insight instance, and then manually delete the previous certificate from vRealize Log Insight Agent cert directory.
- For Log Insight Windows Agent, go to C:\ProgramData\VMware\Log Insight Agent\cert.
- For Log Insight Linux Agent, go to /var/lib/loginsight-agent/cert.
Note: Some platforms might use nonstandard paths for storing trusted certificates. The Log Insight Agents have an option to configure the path to trusted certificates store by setting the ssl_ca_path=<fullpath> configuration parameter. Replace <fullpath> with the path to the trusted root certificates bundle file. See Configure the Log Insight Agents SSL Parameters.