Some users may experience issues accessing the case portal. For more information, please click here.

This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Certificate revocation issues while using the Flexera Kubernetes inventory agent

Certificate revocation issues while using the Flexera Kubernetes inventory agent

Certificate revocation issues can occur with the Flexera Kubernetes agent when applying a custom CA certificate bundle. When using a custom CA certificate bundle, a volume is mounted within the container at /var/opt/managesoft/etc/ssl. When the storage volume is a Secret or a ConfigMap, that volume is mounted as read-only. Because it's read-only, the write fails when the upload agent (ndupload) downloads revocation list files and attempts to write them to that volume.

You may see the following such errors in this situation:

Error 0xE0000002: No such file or directory 2
Error 0xE0500454: Failed to write local file /var/opt/managesoft/etc/ssl/ocsp/4f2f13d0.ocsp 3
Error 0xE0000002: No such file or directory 4
Error 0xE0500454: Failed to write local file /var/opt/managesoft/etc/ssl/crls/1f6380c7.r0 5
Error 0xE050057C: HTTPS certificate revocation status could not be determined

Solution

  1. Create an INI file containing the following: 
    [ManageSoft\Common]
    CheckCertificateRevocation=False

    NOTE: You can use any file name (example: patch.ini).

  2. Create a ConfigMap within the Flexera namespace to store the patch files using the following command: 
    kubectl create configmap krm-config --namespace flexera --from-file=patch.ini
  3. Within the YAML file, add the ConfigMap within the spec.monitor.configPatch. For example: 
    apiVersion: agents.flexera.com/v1
kind: KRM
spec:
  monitor:
    configPatch:
      name: krm-config
  4. After you redeploy the updated YAML file or instantiate the monitor pod, it should be able to read the INI file you created. Check the logs to validate that the INI file was read using the following command:  
    kubectl exec -n flexera krm-instance-monitor-0 -- cat /var/opt/managesoft/log/uploader.log

For more details, see Patching config.ini through Flexera Kubernetes Inventory Agent

Was this article helpful? Yes No
0 318
No ratings
Version history
Last update:
‎Feb 06, 2023 02:20 PM
Updated by:
Community Manager Community Manager
Contributors