Gateway Connection To Backup Server Not working

When I make a gateway connection to the master node of a redundant pair I am seeing this flood the log. When I check the master node I am connecting to I see the certificates show up in the gateway network incoming tab. But over on the backup node I never see the certificates show up. Since the certificates are never showing up If i try to make a connection to the backup node it is always faulted.

Any ideas what I need to do to fix this?

What version of Ignition are you on? I believe the warning spamming the logs is benign and unrelated, and something that should be suppressed starting on 8.0.8 if I’m not mistaken.

You mentioned that the backup node is making an outgoing connection to the master, right? In this case, I would expect the backup node’s certificate to show up on the master’s incoming tab of the Gateway Network config page, which I believe you’ve confirmed. Are you also expecting the master’s certificate to show up on the backup gateway’s outgoing tab?

The gateways making the outgoing connection is 7.9.14. The gateways with the incoming connection are 8.1.1. Here are some pictures of the gateway connections. It seems to me for some reason the gateway backup with the incoming connection (B2) is not getting the certificates for some reason. You can see in the third picture the certificates are N/A.

Gateway A1

Gateway B1

Gateway B2

On whatever Gateway is making the outgoing connection to B2: can you check its server logs to see if there are any SSL exceptions? Do you have two-way authentication setting enabled? You might need to add B2’s cert to the gateway making the outgoing connection data/certificates/gateway_network folder so it is trusted.

two-way authentication is not enabled on any of the gateways. If I search A1 gateway status logs for ssl
I get this:

How do I get a certificate from one gateway and put it on another gateway? I see the certificates in the upper section it is just not assigning them to the remote gateway connection in the lower section.

You’d have to use a tool such as keytool or Keystore Explorer to extract B2’s GW network server certificate from the key store file at $IGNITION/webserver/metro-keystore…but if you do not have two-way auth enabled on A1, I don’t think that will make a difference.

I’m not sure why A1’s cert is not showing on B2’s incoming list, I can’t reproduce the issue myself unless two-way auth is enabled on the gateway with the outgoing connection and the same gateway does not trust the remote gateway’s server cert.

As a workaround, you can use the same method I described above to extract the cert from A1’s key store, and drop it into B2’s data/certificates/gateway_network folder to manually trust the incoming connection. If that doesn’t work, I’d get in touch with support so that they can take a deeper look into your environment.

The certificates are already in data/certificates/gateway_network on gateway B2. I will create a ticket with support and see if they can figure out what is going on. Thanks for the help.

1 Like