When installing PCF 1.3.2 on vCloud Air I ran into an “SSL Handshake error”
when attempting to access the Cloud Foundry Ops Mgr setup page.
Firefox reported the following error:
A quick test with openssl verfied the issue
$ openssl s_client -connect 18.104.22.168:443
140694674667168:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 0 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Protocol : TLSv1
Cipher : 0000
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1415297890
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Each vCloud Air Virtual Data Center includes two public ip addresses on the Gateway Appliance.
During setup for Pivotal Cloud Foundry,
NAT rules are configured to map one of the ips to the PCF Ops Manager
and the other ip to the gateway load balancer.
Apparently the two public ips are not equivalent.
If you encounter the ssl error above, change the Gateway NAT rules to reverse the ip mappings
so that the ip currently mapped to the router is mapped to Ops Manager.
Given two Gateway Ips of
Ops Manager on 192.168.109.2 and the
Gateway Load Balancer on 192.168.109.10
d2p3-ext DNAT 22.214.171.124 Any 192.168.109.2 Any TCP
d2p3-ext DNAT 126.96.36.199 Any 192.168.109.10 Any TCP
Change the Nat rules to
d2p3-ext DNAT 188.8.131.52 Any 192.168.109.10 Any TCP
d2p3-ext DNAT 184.108.40.206 Any 192.168.109.2 Any TCP