Connections Fail with Certificate or Platform Services Controller Token Errors
Connections to virtual container hosts (VCHs) that use full TLS authentication with trusted Certificate Authority (CA) certificates fail with certificate errors. Connections to vSphere Integrated Containers Management Portal fail with Platform Services Controller token errors.
Problem
vic-machine
operations on a VCH result in a "bad certificate" error:Connection failed with TLS error "bad certificate" check for clock skew on the host Collecting host-227 hostd.log vic-machine-windows.exe failed: tls: bad certificate </pre>NOTE:
vic-machine
tolerates a 1 day skew. A skew of 1 day might result in a different certificate error than time skew.- Connections to the VCH Admin portal for the VCH fail with an
ERR_CERT_DATE_INVALID
error. - Connections to the VCH from Docker clients fail with a
bad certificate
error. - Connections to vSphere Integrated Containers Management Portal fail with Platform Services Controller token errors.
Cause
There is potentially a clock skew between the VCH and the system from which you are connecting to the VCH, or between the vSphere Integrated Containers appliance and the ESXi host on which it is running.
Solutions
Ensure that the system time is synchronized between VCHs and systems that connect to them, and between the appliance and the underlying host.
VCH Certificate Errors
- Go to the VCH Admin portal for the VCH at https://vch_address:2378 and check the System Time under VCH Info.
If the system time of the VCH is wrong, run
vic-machine debug
to enable SSH access to the VCH.For information about enabling SSH on a VCH, see Authorize SSH Access to the VCH Endpoint VM.
Connect to the VCH endpoit VM by using SSH.
ssh root@vch_address
Use the
date --set
Linux command to set the system clock to the correct date and time.The two most common date formats are the following:
- Unix Time Stamp:
date --set='@1480969133'
YYYYMMDD HH:MM
format:date --set="20161205 14:31"
- Unix Time Stamp:
To prevent this issue recurring on VCHs that you deploy in the future, verify that the host time is correct on the ESXi host on which you deploy VCHs. For information about verifying time synchronization on ESXi hosts, see VMware KB 1003736.
Platform Services Controller Token Errors
Configure the vSphere Integrated Containers appliance to use Network Time Protocol (NTP) synchronization. For information about configuring NTP by using the vSphere Client, see VMware KB 1014038.
Alternatively, configure NTP directly in the appliance VM.
- Use SSH to connect to the vSphere Integrated Containers appliance as root user.
ssh root@vic_appliance_address
- Enable NTP in the appliance.
timedatectl set-ntp true
- (Optional) Open
/etc/systemd/timesyncd.conf
in a text editor, uncomment theNTP
line, and add an NTP server address.[Time] NTP=ntp_server_address</pre>