Follow

404 Error When Trying to Pair a VSatellite Worker

Error:

A 404 error is returned when attempting to pair a new VSatellite worker with a VSatellite host along with additional text.

404VsatWorker.png

Symptom:

During the deployment of a Microsoft CA connector, a VSatellite worker must be installed to take the command and control messages from Venafi as a Service and the VSatellite, and convert them into RPC messages destined to the target Active Directory Certificate services (ADCS) host. During the pairing process, after supplying an FQDN and port (or IP and PORT for the worker (FQDN:PORT, IP:PORT) and setting it, when clicking Pair, you receive a 404 error. This error appears as a short-lived message box at the top of the registration page. You cannot proceed to the next step until this is resolved.

Cause:

There are several possible causes for this error to occur.

  • A hostname was supplied rather than an FQDN or IP address
  • Ensure the correct VSatellite host was selected to pair with
  • The fully qualified domain name cannot be resolved from the VSatellite host (kubernetes pod, not system)
  • Vsatellite installation did not succeed
  • Check VSatellite worker service status
  • Check VSatellite registration & communication status
  • Check VSatellite worker registration
  • Default port is 8085, check windows (worker) firewall for inbound connection from VSatellite host
  • Check spelling of target IP/Name and resolution from VSatellite host
  • VSatellite worker was installed with a different pairing code than what pairing attempts to use

A Hostname was Supplied Rather Than an FQDN or IP Address

Hostnames cannot be used during the pairing process. Paring requires either a fully qualified domain name (FQDN) or IP address. Either must be appended with the target port (default port is 8085). Change the value to an IP address or FQDN. For example: 192.168.44.11:8085 or vsatwk01.domain.local:8085

Ensure the Correct VSatellite Host was Selected to Pair With

If multiple VSatellite hosts are installed in your system, ensure that during the pairing process, the correct VSatellite is selected to pair with. 

The Fully Qualified Domain Name  (FQDN) Cannot be Resolved from the VSatellite Host

Host names cannot be used here. Rather FQDNs or IP addresses must be used when registering the VSatellite worker host. Further, it is the kubernetes pod performing the name lookup on the VSatellite host, not the host system's name lookup configuration. If an FQDN name cannot be resolved successfully and a 404 error is returned when using an FQDN, switch to using an IP address instead. For example: 192.168.44.11:8085.

Vsatellite Installation did not Succeed

Following the installation of the Vsatellite worker, an information message should have appeared in the PowerShell dialog at the end of the installation stating:

INFO Venafi VSatellite Worker Service installed successfully

If this message did not appear, check the installation logs in the logs directory for any errors or problems. This folder and logs are created during install in the location where the installer was run.

Check Vsatellite Service Status

If the installation appears successful, the Venafi VSatellite Worker service should be visible and running in the services mmc (services.msc). Alternatively, you can check the status from a command prompt with the following command:

sc query VSatWorkerService

The STATUS should be shown as RUNNING.

Check Vsatellite Registration & Communication Status

Ensure the VSatellite host is registered, active and healthy. An unhealthy or inactive VSatellite will may not properly communicate with its VSatellite Worker or Microsoft CA.

  1. Log in as an admin of Venafi as a Service and go to Settings | VSatellites.
  2. Identify the VSatellite in question and note the following values:
    • Status - should be "Active". Any other value indicates a problem. Try restarting the VSatellite host and give it up to 5 minutes to completely reboot and restart its services and check in. If it is still not simply "Active", contact support@venafi.cloud.
    • Last VaaS Check-In - should never be longer than 30 minutes. If the check-in period is more than 30 minutes, your VSatellite has lost connectivity or is not healthy. Many things can cause this. Assuming nothing in the network has changed, a reboot may clear up any problems. Also check your local host firewall, network firewalls, ensure connectivity to the VaaS endpoints or port 443 and 9443 (443 - https://api.venafi.cloud, 443 - https://dl.venafi.cloud, 9443 - https://vsat-gw.venafi.cloud). If the system is on and running and can contact those three endpoints with utilities like OpenSSL or nmap, contact support@venafi.cloud. 

Check Vsatellite Worker Registration

If the VSatellite Worker registration has failed, this would most likely be noted in the installation logs found in the logs directory where the VSatellite Worker service was installed. However, current registration status of a worker can be seen by examining its registration with a VSatellite host.

  1. Log in as an admin of Venafi as a Service and go to Settings | VSatellites.
  2. Click on the name of the Vsatellite host the worker should be paired with.
  3. Select the Connected Workers tab.
  4. The Status column should indicate Active. 

If the status is not Active, ensure the service is still installed on the worker host and running and the VSatellite host can communicate with the Worker on the defined port listed in the Port column.

Check Windows Worker Host Based Firewall for Inbound Connection from Vsatellite Host

The default port for communication between the VSatellite host and the VSatellite Worker is port 8085. This is defined during the installation process with the port parameter and can be seen in the VSatellite Connected Workers port column (see previous section: Check Vsatellite Worker Registration).

If host based firewalls are employed on your systems, ensure the VSatellite worker host allows inbound TCP communication from the VSatellite host from any port to port 8085. On the VSatellite host, ensure it is permitted to communicate to the Vsatellite worker with to a target port of 8085.

Tools like OpenSSL, nmap or Telnet can be used for these tests.

Check Spelling of Target IP/Name and Resolution from VSatellite Host

Check the spelling of target IP/Name:port and verify you have resolution and connectivity between the VSatellite worker VSatellite host in both directions.

 

VSatellite worker was installed with a different pairing code than what pairing attempts to use

Make sure to not let UI timeout between installing the VSatellite worker and attempting to pair it with a VSatellite. The pairing code and public key changes when page is reloaded. This can happen if your session times out.

Was this article helpful?
0 out of 0 found this helpful

Comments