A customer was having a lot of issues deploying the VA. The error that was seen in the ccg was regarding encryption and they were told the passphrase was incorrect. We also saw other connectivity issues that are now addressed.
I configured the new VA boxes after connectivity issues were resolved. I deleted the existing VA boxes. I used the existing cluster. I used the same passphrase that the customer had used. It is under 20 characters, doesn’t have any spaces, or special characters, only letters were used.
We have the error “An error occurred while decrypting the message”
We can use curl commands for a connected system from the VA command line, but the tenant UI shows a timeout error on the connector. One document referenced that this can be common with a passphrase issue.
The config yaml shows a different keyPassphrase, apiKey and apiUser between the two VA servers. Should these be the same value or at least the keyPassphrase should it show the same on the two boxes?
Question:
Will doing a va-bootstrap reset allow us to start over? I have had issues with AWS images and had to rebuild the box. But that is usually when the ccg service and other services aren’t running.
Has anybody else ran into this with AWS images recently?
Do we need to delete or reset the VA boxes and start with a new cluster creation in the Tenant UI?
We were able to perform the “va-bootstrap” reset on both VA boxes in the cluster. We Created a new cluster and then ran “va-bootstrap set-passphrase” and pairing them to the new cluster.
As part of the reset it disables the ccg and other services. After doing the set-passphrase we saw that these services were restarted, as expected, which we were not seeing on prior VA boxes that had connectivity issues.
Our assumption is that the cluster contained something that was residual from a prior configuration attempts.
Primary Solution:
Creating a new cluster may address passphrase issues if retrying to repair fails and passphrase was carefully entered, is less than 20 characters, and only has alphanumeric characters.
Tripple check connectivity to all Public URLs.
If your VA cannot connect to: ecr.us-east-1.amazonaws.com , it will break your VA where it will need to be re-installed. This could be because OS updates were applied but updates for the VA containers could not be updated, but would need validation from SailPoint on this.
I used the below script to discover the issue with the Primary URL connections that must working.
#!/bin/bash
echo “Starting SailPoint VA connectivity test…”
echo “----------------------------------------------”
# Define the list of hosts to test
# NOTE: For wildcard domains, we pick a specific, known host (e.g., ‘www.’)
HOSTS_TO_TEST=(
\# Flatcar (updates)
"www.flatcar-linux.org"
\# SailPoint (core services)
"api.identitynow.com"
"www.sailpoint.com"
"va-access.infra.identitynow.com"
\# Note: If you have a specific tenant URL like 'my-tenant.identitynow.com', add it here!
\# LaunchDarkly (feature flags)
"app.launchdarkly.com"
\# AWS S3 (general)
"s3.amazonaws.com"
\# AWS ECR (container images)
"api.ecr.us-east-1.amazonaws.com"
"ecr.us-east-1.amazonaws.com"
"874540850173.dkr.ecr.us-east-1.amazonaws.com"
"229634586956.dkr.ecr.us-gov-west-1.amazonaws.com"
)
# Loop through each host and test it
for HOST in “${HOSTS_TO_TEST[@]}”; do
echo -n "Testing: $HOST ... "
\# Use curl with -v (verbose) and -I (HEAD request)
\# Redirect stderr (verbose output) and stdout (headers) to /dev/null
\# We only care about the exit code.
if curl -v -I "https://{$HOST}" --connect-timeout 5 &> /dev/null; then
echo "✅ SUCCESS"
else
echo "❌ FAILURE"
echo " (Tip: Run 'curl -v https://{$HOST}' for detailed error info)"
fi
done
echo “----------------------------------------------”
echo “Test complete.”