Loading...
Loading...
Maestro Orchestrators recognize each other as known peers but fail to establish secure REST communication. ; Health Check Point (HCP) reports these errors: Orchestrators REST server.........................[ERROR] Maestro Orchestrator Authentication...............[ERROR] ; Orchestrator logs or HCP output shows messages similar to: Orchestrator is known but cannot securely communicate. The certificate has expired in 2010. ; On each Orchestrator, under /etc/local_cert/ : certificate.pem – expired Secure Sockets Layer (SSL)/Transport Layer Security (TLS) certificate (expiry in 2010). certificate.pem.new – newer, valid certificate. ; After running authd reset-cert (in the Expert mode) on the Orchestrator, the command orch_stat -Av continues to show: Local can REST: false until the httpd2 process is restarted. ; The instructions in sk182406 do not resolve the issue.
An expired SSL/TLS certificate used for internal HTTPS (REST API) communication between Orchestrators caused the issue. Although a valid new certificate ( /etc/local_cert/certificate.pem.new) was already generated, it was not promoted to replace the active certificate ( certificate.pem ). As a result, the httpd2 process continued to use the expired certificate. In addition, httpd2 loads certificates only at startup and does not automatically reload updated certificates, requiring a manual restart. A time skew between Orchestrators may also contribute to certificate validation failures.
Gaia
Maestro Orchestrator
Click on a version to see all relevant bugs
Check Point Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.