When the Flexera Kubernetes inventory agent is configured for HTTPS protocol, it uses the standard bundle of trusted Certificate Authorities (CA) as distributed by Mozilla. However, if the beacon server's upload endpoint certificate is signed by an unrecognized authority internal to your organization, it won't be validated, causing an SSL error.
If you are having SSL issues with the Flexera Kubernetes inventory agent, you can look at the uploader log using the following Kubernetes agent command:
kubectl exec -n flexera krm-instance-monitor-0 -- cat /var/opt/managesoft/log/uploader.log
The uploader logs will show the following information if your CA is not validated:
Uploading file 'k8s-inventory-12345678-20221026T131026.ndi' to
'https://myorg.beacon.com/ManageSoftRL/Inventories'
Error 0xE1BBFC14: OpenSSL error 0xFC14: unable to get local issuer certificate
Error 0xE050044D: Failed to create remote directory /ManageSoftRL
Error 0xE0690099: Specified remote directory is invalid, or could not be created
ERROR: Remote directory is invalid
Generally, in this scenario, you can copy the CA certificates that you want to be validated by the beacon to /var/opt/managesoft/etc/ssl/cert.pem, but another approach must used with the Flexera Kubernetes inventory agent. Follow the steps below to allow validation of custom CA certificates.
kubectl get deployments --namespace flexera
kubectl create secret generic myorg-certificates
--namespace flexera --from-file=cert.pem
apiVersion: agents.flexera.com/v1
kind: KRM
spec:
monitor:
tlsFiles:
secret:
secretName: myorg-certificates
For more details, see Supporting Custom Certificates for HTTPS in the IT Asset Management Online Help.
Feb 06, 2023 11:10 AM