This troubleshooting guide provides a detailed process to diagnose and resolve SSL/TLS handshake failures due to certificate errors on OpsRamp NextGen Gateways. These errors typically cause tunnel disconnects, and the steps below will help you identify the root cause, obtain the necessary certificates, and install them on the gateway to restore secure communication.

Follow the below steps to resolve the Tunnel Disconnect Issues Due to Certificate Errors in NextGen Gateway:

Step-by-Step Resolution

Step 1: Save Certificates to /root/custom-certs on All nodes.

1. Create the folder to store the certificates:

   mkdir -p /root/custom-certs

2. Navigate to the Folder:

   cd /root/custom-certs

3. Save the certificates in the folder with a .crt extension. Ensure that the certificates are saved on all nodes.

   Note

   The following step (Step 2) are applicable only to customers using the OpsRamp-provided ISO/OVA. If you are using your own managed Kubernetes setup with a different operating system, please ensure that the CA certificates are placed in the appropriate location as per your OS requirements.

Step 2: Import CA Certificates into the OS (Ubuntu)

1. Copy the certificates to the appropriate directory:Copy Certificates:

   sudo cp /root/custom-certs/*.crt /usr/local/share/

2. Update Certificates:

   sudo update-ca-certificates

   Note

   Repeat this process on all nodes in your cluster.

Step 3: Import CA Certificates into NextGen Gateway

1. Create a ConfigMap to hold the custom certificates:

   cd /root/
   kubectl create configmap custom-certs --from-file=custom-certs -n <namespace>

   Replace <namespace> with your gateway’s namespace. If you don’t have a custom namespace, use “default”.
2. Retrieve the existing chart version using the following command:

   helm list -n <namespace>

   Sample Responce:

In this output, the chart version is located under the CHART section. For example, if it says nextgen-gw-18.0.5, the version is 18.0.5.

3. Update the Helm chart if the gateway is already registered. Use the following command to upgrade:

   helm pull oci://us-docker.pkg.dev/opsramp-registry/gateway-cluster-charts/nextgen-gw --version 1.6.0
   helm upgrade nextgen-gw nextgen-gw-1.6.0.tgz -n <namespace>

   Note

   The –version 18.0.5 and nextgen-gw- 18.0.5.tgz should match your specific gateway release.
4. Register the Gateway if not registered:
   Follow the registration document if the gateway is not already registered.

   Note

   Step 4 is optional and should only be performed if you need to replace the existing certificates with new ones.

Step 4: Update Existing Certificates (Optional)

If you need to replace the existing certificates with new ones, follow these steps:

1. Delete the Existing ConfigMap:

   kubectl delete configmap custom-certs -n <namespace>

2. Re-import the certificates by following Step 3 to complete the process.