IBM Support

QRadar: Apps migration fails due to Unable to communicate with API "certificate signed by unknown authority" error

Troubleshooting


Problem

Apps migration from Console to AppHost fails due to a bad certificates on AppHost. Usually, it fails in stage 4 (Starting apps on Target host) and throws "Unable to communicate with API" and "certificate signed by unknown authority" errors.

Symptom

The following error messages can be found in qradar.log file: 
<HOSTNAME> dockerd[22742]: http: TLS handshake error from <IP_ADDRESS>:59066: remote error: tls: bad certificate
<HOSTNAME> dockerd[22742]: http: TLS handshake error from <IP_ADDRESS>:59084: remote error: tls: bad certificate
<HOSTNAME> dockerd[22742]: http: TLS handshake error from <IP_ADDRESS>:59100: remote error: tls: bad certificate
<HOSTNAME> dockerd[22742]: http: TLS handshake error from <IP_ADDRESS>:59102: remote error: tls: bad certificate

Cause

If there is a custom certificate configured, when you add a AppHost to the environment, the certificates might encounter and error where they are not copied properly from the Console to the AppHost. These bad certificates can cause an issue while migrating apps to the AppHost.

Diagnosing The Problem

  1. SSH into the QRadar console.
  2. SSH onto the AppHost.
  3. Run the following command: 
    /opt/qradar/support/recon ps
  4. If it prints an error similar to the following, proceed to the next step:
    Unable to communicate with API. Received error: An API error occurred. The API returned the error: Get https://<CONSOLE_ADDRESS>/api/gui_app_framework/applications: x509: certificate signed by unknown authority
  5. Run the following command on both the AppHost and the console and compare the output: 
    ls -lrt /etc/pki/ca-trust/source/anchors/

    Result
    If there is a difference between certificates, then you can follow the steps in Resolving the Problem. If the certificates are the same, you are not experiencing this error

Resolving The Problem

  1. SSH into your QRadar console.
  2. Copy the missing certificates from Console to the AppHost. Change the <CERT_NAME1>, <CERT_NAME2>, and <APPHOST_IP> to their appropriate values. 
    scp <CERT_NAME1>.crt <CERT_NAME2>.crt root@<APPHOST_IP>:/etc/pki/ca-trust/source/anchors/
  3. Update the CA certificate on Console and AppHost by executing the following command on both hosts: 
    update-ca-trust
  4. Migrate apps from the Console to AppHost again by changing where apps are run.
  5. Confirm whether the apps are in a running state by using the following command: 
    /opt/qradar/support/qappmanager

    Result
    Wait until the apps are in a running state and try to access the apps after some time to check whether it is working normally. If apps are in a stopped or error state, see QRadar: Starting apps that are in an ERROR state or do not display in the user interface to start the apps. If you are still having an issue, contact support.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.0;and future releases"}]

Document Information

Modified date:
10 February 2023

UID

ibm16856949

Page Feedback