The Log Insight Agents reject self-signed certificate.
Problem
A vRealize Log Insight agent rejects self-signed certificate and cannot establish a connection with the server.
Note: If you experience connection problems with the agent, you can generate detailed logs to check by changing the debug level for the agent to 1. For more information, see
Define Log Details Level in the Log Insight Agents.
Cause
The messages you see in the agent log have specific causes.
Message | Cause |
---|---|
Rejecting peer self-signed certificate. Public key doesn't match previously stored certificate's key. |
|
Rejecting peer self-signed certificate. Have a previously received certificate which is signed by trusted CA. | There is a CA-signed certificate stored on the agent side. |
Solution
- ♦ Verify whether your target host name is a trusted vRealize Log Insight instance, and then manually delete the previous certificate from vRealize Log Insight Agent cert directory.
- For Log Insight Windows Agent, go to C:\ProgramData\VMware\Log Insight Agent\cert.
- For Log Insight Linux Agent, go to /var/lib/loginsight-agent/cert.
Note: Some platforms might use nonstandard paths for storing trusted certificates. The Log Insight Agents have an option to configure the path to trusted certificates store by setting the ssl_ca_path=<fullpath> configuration parameter. Replace<fullpath>
with the path to the trusted root certificates bundle file. See Configure the Log Insight Agents SSL Parameters.