This troubleshooting guide provides a detailed process to diagnose and resolve SSL/TLS handshake failures due to certificate errors on OpsRamp NextGen Gateways. The steps will help you identify the cause of the disconnect, obtain the necessary certificates, and install them on the gateway to restore secure communication.

Tunnel Disconnect with Certificate Errors in NextGen Gateway

Follow the below steps tp resolve the Tunnel Disconnect Issues Due to Certificate Errors in NextGen Gateway:

Step 1: Save Certificates to /root/custom-certs

  1. Create a Folder:
    mkdir -p /root/custom-certs
  2. Navigate to the Folder:
    cd /root/custom-certs
  3. Save Certificates:
    • Save all the certificates in this folder with a .crt extension
    • Make sure that you save the certificates on all nodes.

Step 2: Import CA Certificates into the OS (Ubuntu)

  1. Copy Certificates:
    sudo cp /root/custom-certs/*.crt /usr/local/share/
  2. Update Certificates:
    sudo update-ca-certificates

Note: Repeat this process on all nodes.

Step 3: Import CA Certificates into NextGen Gateway

  1. Create a ConfigMap:
    cd /root/
kubectl create configmap custom-certs --from-file=custom-certs -n <namespace>
  2. Update the Helm Chart:
    • If the gateway is already registered, pull and update the Helm chart
      helm pull oci://us-docker.pkg.dev/opsramp-registry/gateway-cluster-charts/nextgen-gw --version 1.6.0
helm upgrade nextgen-gw nextgen-gw-1.6.0.tgz -n <namespace>
    • Note: The –version 1.6.0 and nextgen-gw-1.6.0.tgz should match your specific gateway release.
  3. Register the Gateway (if not registered):
    Follow the registration document if the gateway is not already registered.

Step 4: Update Existing Certificates

  1. Delete the Existing ConfigMap:
    kubectl delete configmap custom-certs -n <namespace>
  2. Re-import the Certificates:
    Follow Step 3 and the steps under “Import CA Certificates into the OS (Ubuntu)”.