GitHub user NikhilGade07 added a comment to the discussion: error in cloudstack agent
**CloudStack Agent SSL Handshake Failure Across WireGuard VPN** This is a certificate trust issue, not a network connectivity problem. The TCP connection works fine (as confirmed by nc), but the CloudStack agent on the .2 network host is failing the SSL/TLS handshake because it doesn't trust the management server's certificate. **The key log line tells the whole story:** Failed to load keystore, using trust all manager ... Received fatal alert: bad certificate — The client may have invalid ca-certificates. **Root Cause** When you added the .1 network host, Cloud Stack's management server provisioned that agent with its SSL certificates. The .2 network host is in a separate pod with a fresh agent installation — it's missing the Cloud Stack management server's CA certificate in its keystore (/etc/cloudstack/agent/). **_Fix_** **Option 1** — Copy certificates from a working .1 host (quickest) On your working .1 host, grab the agent keystore: bashls /etc/cloudstack/agent/ # Look for cloud.jks or similar keystore files Copy cloud.jks (and any .cer / .crt files) to the .2 host at the same path, then restart the agent: bashsudo systemctl restart cloudstack-agent **Option 2** — Re-run agent setup via management server On the .2 host, clear the existing keystore and let CloudStack re-provision it: bashsudo rm -f /etc/cloudstack/agent/cloud.jks sudo cloudstack-setup-agent # Point it to 192.168.1.102 when prompted **Option 3** — Manual certificate import Export the mgmt server cert and import it into the agent's truststore: bash# On management server keytool -export -alias cloud -keystore /etc/cloudstack/management/cloud.jks \ -file cloud-mgmt.cer -storepass vmops # Copy cloud-mgmt.cer to the .2 host, then: sudo keytool -import -alias cloud -file cloud-mgmt.cer \ -keystore /etc/cloudstack/agent/cloud.jks -storepass vmops -noprompt sudo systemctl restart cloudstack-agent GitHub link: https://github.com/apache/cloudstack/discussions/12936#discussioncomment-16414111 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
