Troubleshooting
Problem
Apps migration from Console to AppHost fails due to a bad certificates on AppHost. Usually, it fails in stage 4 (Starting apps on Target host) and throws "Unable to communicate with API" and "certificate signed by unknown authority" errors.
Symptom
The following error messages can be found in qradar.log file:
<HOSTNAME> dockerd[22742]: http: TLS handshake error from <IP_ADDRESS>:59066: remote error: tls: bad certificate
<HOSTNAME> dockerd[22742]: http: TLS handshake error from <IP_ADDRESS>:59084: remote error: tls: bad certificate
<HOSTNAME> dockerd[22742]: http: TLS handshake error from <IP_ADDRESS>:59100: remote error: tls: bad certificate
<HOSTNAME> dockerd[22742]: http: TLS handshake error from <IP_ADDRESS>:59102: remote error: tls: bad certificate
Cause
If there is a custom certificate configured, when you add a AppHost to the environment, the certificates might encounter and error where they are not copied properly from the Console to the AppHost. These bad certificates can cause an issue while migrating apps to the AppHost.
Diagnosing The Problem
- SSH into the QRadar console.
- SSH onto the AppHost.
- Run the following command:
/opt/qradar/support/recon ps
-
If it prints an error similar to the following, proceed to the next step:
Unable to communicate with API. Received error: An API error occurred. The API returned the error: Get https://<CONSOLE_ADDRESS>/api/gui_app_framework/applications: x509: certificate signed by unknown authority
- Run the following command on both the AppHost and the console and compare the output:
ls -lrt /etc/pki/ca-trust/source/anchors/
Result
If there is a difference between certificates, then you can follow the steps in Resolving the Problem. If the certificates are the same, you are not experiencing this error
Resolving The Problem
- SSH into your QRadar console.
- Copy the missing certificates from Console to the AppHost. Change the <CERT_NAME1>, <CERT_NAME2>, and <APPHOST_IP> to their appropriate values.
scp <CERT_NAME1>.crt <CERT_NAME2>.crt root@<APPHOST_IP>:/etc/pki/ca-trust/source/anchors/
- Update the CA certificate on Console and AppHost by executing the following command on both hosts:
update-ca-trust
- Migrate apps from the Console to AppHost again by changing where apps are run.
- Confirm whether the apps are in a running state by using the following command:
/opt/qradar/support/qappmanager
ResultWait until the apps are in a running state and try to access the apps after some time to check whether it is working normally. If apps are in a stopped or error state, see QRadar: Starting apps that are in an ERROR state or do not display in the user interface to start the apps. If you are still having an issue, contact support.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.0;and future releases"}]
Was this topic helpful?
Document Information
Modified date:
10 February 2023
UID
ibm16856949