"Unable to authenticate with SailPoint" error message during VA setup

mathieug · April 5, 2024, 9:45am

Hello,

I’m trying to setup a VA. I did the following actions:

Download va-latest image file.
Import it into VMWare workstation
Downloaded the VA config file
Copied the VA config file into the VA
Test connection failed

When I look into the va_agent.log I have the following stacktrace error:

{"@timestamp":"2024-04-05T09:42:30.075","level":"INFO","type":"agent","message":"checking credentials"}
{"@timestamp":"2024-04-05T09:42:30.076","level":"DEBUG","type":"agent","message":"found credentials"}
{"@timestamp":"2024-04-05T09:42:30.077","level":"INFO","type":"api","message":"Initializing connection to SailPoint API at https://stg01-useast1.accessiq.sailpoint.com/partner07"}
{"@timestamp":"2024-04-05T09:42:30.077","level":"DEBUG","type":"api","message":"Falling back to cc poll: {\"status\":\"NORMAL\",\"hostname\":\"sailpoint-va\",\"internal_ip\":\"192.168.52.130\",\"cookbook_etag\":null,\"ccg_etag\":null,\"ccg_pin\":\"NONE\",\"platform_version\":2,\"os_version\":null,\"os_type\":null,\"hypervisor\":null,\"product\":\"idn\",\"tunnel_traffic\":null,\"disk_percent_used\":{},\"disk_free_mb\":{},\"docker_versions\":{},\"stacktrace\":null}"}
{"@timestamp":"2024-04-05T09:42:30.156","level":"ERROR","type":"api","message":"api.post: RestClient::SSLCertificateNotVerified: SSL_connect returned=1 errno=0 peeraddr=54.84.232.103:443 state=error: certificate verify failed (self-signed certificate in certificate chain): [\"/usr/local/bundle/gems/rest-client-2.1.0/lib/restclient/request.rb:776:in `rescue in transmit'\", \"/usr/local/bundle/gems/rest-client-2.1.0/lib/restclient/request.rb:651:in `transmit'\", \"/usr/local/bundle/gems/rest-client-2.1.0/lib/restclient/request.rb:163:in `execute'\", \"/usr/local/bundle/gems/rest-client-2.1.0/lib/restclient/request.rb:63:in `execute'\", \"/usr/local/bundle/gems/rest-client-2.1.0/lib/restclient/resource.rb:69:in `post'\", \"/opt/sailpoint/lib/api.rb:78:in `block in post'\", \"/usr/local/lib/ruby/3.2.0/timeout.rb:189:in `block in timeout'\", \"/usr/local/lib/ruby/3.2.0/timeout.rb:36:in `block in catch'\", \"/usr/local/lib/ruby/3.2.0/timeout.rb:36:in `catch'\", \"/usr/local/lib/ruby/3.2.0/timeout.rb:36:in `catch'\", \"/usr/local/lib/ruby/3.2.0/timeout.rb:198:in `timeout'\", \"/opt/sailpoint/lib/api.rb:77:in `post'\", \"/opt/sailpoint/lib/api.rb:177:in `poll'\", \"/opt/sailpoint/va_agent.rb:130:in `poll_server'\", \"/opt/sailpoint/va_agent.rb:260:in `are_credentials_valid?'\", \"/opt/sailpoint/va_agent.rb:310:in `wait_for_valid_credentials'\", \"/opt/sailpoint/va_agent.rb:590:in `block in <main>'\", \"/opt/sailpoint/va_agent.rb:585:in `loop'\", \"/opt/sailpoint/va_agent.rb:585:in `<main>'\"]"}
{"@timestamp":"2024-04-05T09:42:30.157","level":"ERROR","type":"agent","message":"Poll error: client info response NIL"}
{"@timestamp":"2024-04-05T09:42:30.157","level":"ERROR","type":"agent","message":"Unable to authenticate with SailPoint."}

If anyone can help me find the solution, I will be very grateful.
Thank you in advance for your help.

Regards,
MathieuG

schattopadhy · April 5, 2024, 10:02am

where you are trying to setup in local? please wait for around 5 to 10 min before you test connection as it downloads certain components

mathieug · April 5, 2024, 11:30am

Yes I’m trying to setup in local. Even after 10-15 min I’m unable to connect the VA.
In the charon.log file I can find theses logs:

2024-04-05T09:35:25Z 742d8154a8ce /usr/local/bin/confd[22]: INFO Target config /opt/sailpoint/workflow/jobs/SYSTEM_EXEC out of sync
2024-04-05T09:35:25Z 742d8154a8ce /usr/local/bin/confd[22]: INFO Target config /opt/sailpoint/workflow/jobs/SYSTEM_EXEC has been updated
{"@timestamp":"2024-04-05T09:35:25.318","level":"INFO","type":"gateway","message":"Generating new CSR for OU=stg01-useast1|partner07,CN=fc7cec1c-7ff1-4749-976a-edbcc1b2e553"}
{"@timestamp":"2024-04-05T09:35:25.318","level":"DEBUG","type":"gateway","message":"Running /usr/bin/openssl req -new -out /opt/sailpoint/share/secure/va-gateway.csr -newkey rsa:2048 -nodes -sha256 -keyout /opt/sailpoint/share/secure/va-gateway.key -config /opt/sailpoint/share/secure/va-gateway.cnf"}
{"@timestamp":"2024-04-05T09:35:26.019","level":"DEBUG","type":"api","message":"POST https://partner07.api.identitynow.com/oauth/token?grant_type=client_credentials: 200"}
{"@timestamp":"2024-04-05T09:35:27.353","level":"DEBUG","type":"api","message":"POST https://partner07.api.identitynow.com/beta/managed-clients/fc7cec1c-7ff1-4749-976a-edbcc1b2e553/certificates: 200"}
{"@timestamp":"2024-04-05T09:35:27.354","level":"INFO","type":"gateway","message":"Wrote /opt/sailpoint/share/secure/va-gateway.crt, serial 307299915016225891827432658765390442440, not before 2024-04-05 08:35:26 UTC, not after 2025-04-03 09:35:26 UTC"}
{"@timestamp":"2024-04-05T09:35:27.354","level":"ERROR","type":"gateway","message":"Error refreshing va gateway certificate: NoMethodError undefined method `length' for nil:NilClass [\"/opt/sailpoint/lib/v2/gateway.rb:178:in `export_to_pkcs12'\", \"/opt/sailpoint/lib/v2/gateway.rb:37:in `refresh_certificate'\", \"/opt/sailpoint/lib/v2/s3.rb:87:in `va_cli_env'\", \"/opt/sailpoint/lib/configuration.rb:290:in `check_proxy'\", \"/opt/sailpoint/run.rb:74:in `block in <main>'\", \"/opt/sailpoint/run.rb:65:in `loop'\", \"/opt/sailpoint/run.rb:65:in `<main>'\"]"}
{"@timestamp":"2024-04-05T09:35:29.450","level":"ERROR","type":"configuration","message":"Networking check results - Could not reach app.datadoghq.com: SSL_connect returned=1 errno=0 peeraddr=3.233.150.210:443 state=error: certificate verify failed (self-signed certificate in certificate chain)\n[\"/usr/local/lib/ruby/3.2.0/net/protocol.rb:46:in `connect_nonblock'\", \"/usr/local/lib/ruby/3.2.0/net/protocol.rb:46:in `ssl_socket_connect'\", \"/usr/local/lib/ruby/3.2.0/net/http.rb:1342:in `connect'\", \"/usr/local/lib/ruby/3.2.0/net/http.rb:1248:in `do_start'\", \"/usr/local/lib/ruby/3.2.0/net/http.rb:1237:in `start'\", \"/usr/local/lib/ruby/3.2.0/net/http.rb:1817:in `request'\", \"/usr/local/lib/ruby/3.2.0/net/http.rb:1575:in `get'\", \"/opt/sailpoint/lib/configuration.rb:654:in `block in check_networking'\", \"/opt/sailpoint/lib/configuration.rb:650:in `each'\", \"/opt/sailpoint/lib/configuration.rb:650:in `check_networking'\", \"/opt/sailpoint/run.rb:75:in `block in <main>'\", \"/opt/sailpoint/run.rb:65:in `loop'\", \"/opt/sailpoint/run.rb:65:in `<main>'\"]"}
{"@timestamp":"2024-04-05T09:35:29.513","level":"ERROR","type":"configuration","message":"Networking check results - Could not reach fiji.identitynow.com: SSL_connect returned=1 errno=0 peeraddr=52.87.64.115:443 state=error: certificate verify failed (self-signed certificate in certificate chain)\n[\"/usr/local/lib/ruby/3.2.0/net/protocol.rb:46:in `connect_nonblock'\", \"/usr/local/lib/ruby/3.2.0/net/protocol.rb:46:in `ssl_socket_connect'\", \"/usr/local/lib/ruby/3.2.0/net/http.rb:1342:in `connect'\", \"/usr/local/lib/ruby/3.2.0/net/http.rb:1248:in `do_start'\", \"/usr/local/lib/ruby/3.2.0/net/http.rb:1237:in `start'\", \"/usr/local/lib/ruby/3.2.0/net/http.rb:1817:in `request'\", \"/usr/local/lib/ruby/3.2.0/net/http.rb:1575:in `get'\", \"/opt/sailpoint/lib/configuration.rb:654:in `block in check_networking'\", \"/opt/sailpoint/lib/configuration.rb:650:in `each'\", \"/opt/sailpoint/lib/configuration.rb:650:in `check_networking'\", \"/opt/sailpoint/run.rb:75:in `block in <main>'\", \"/opt/sailpoint/run.rb:65:in `loop'\", \"/opt/sailpoint/run.rb:65:in `<main>'\"]"}
{"@timestamp":"2024-04-05T09:35:30.060","level":"ERROR","type":"configuration","message":"Networking check results - Could not reach public.update.flatcar-linux.net: SSL_connect returned=1 errno=0 peeraddr=3.78.9.162:443 state=error: certificate verify failed (self-signed certificate in certificate chain)\n[\"/usr/local/lib/ruby/3.2.0/net/protocol.rb:46:in `connect_nonblock'\", \"/usr/local/lib/ruby/3.2.0/net/protocol.rb:46:in `ssl_socket_connect'\", \"/usr/local/lib/ruby/3.2.0/net/http.rb:1342:in `connect'\", \"/usr/local/lib/ruby/3.2.0/net/http.rb:1248:in `do_start'\", \"/usr/local/lib/ruby/3.2.0/net/http.rb:1237:in `start'\", \"/usr/local/lib/ruby/3.2.0/net/http.rb:1817:in `request'\", \"/usr/local/lib/ruby/3.2.0/net/http.rb:1575:in `get'\", \"/opt/sailpoint/lib/configuration.rb:654:in `block in check_networking'\", \"/opt/sailpoint/lib/configuration.rb:650:in `each'\", \"/opt/sailpoint/lib/configuration.rb:650:in `check_networking'\", \"/opt/sailpoint/run.rb:75:in `block in <main>'\", \"/opt/sailpoint/run.rb:65:in `loop'\", \"/opt/sailpoint/run.rb:65:in `<main>'\"]"}
{"@timestamp":"2024-04-05T09:35:30.116","level":"ERROR","type":"configuration","message":"Networking check results - Could not reach sqs.us-east-1.amazonaws.com: SSL_connect returned=1 errno=0 peeraddr=3.239.232.53:443 state=error: certificate verify failed (self-signed certificate in certificate chain)\n[\"/usr/local/lib/ruby/3.2.0/net/protocol.rb:46:in `connect_nonblock'\", \"/usr/local/lib/ruby/3.2.0/net/protocol.rb:46:in `ssl_socket_connect'\", \"/usr/local/lib/ruby/3.2.0/net/http.rb:1342:in `connect'\", \"/usr/local/lib/ruby/3.2.0/net/http.rb:1248:in `do_start'\", \"/usr/local/lib/ruby/3.2.0/net/http.rb:1237:in `start'\", \"/usr/local/lib/ruby/3.2.0/net/http.rb:1817:in `request'\", \"/usr/local/lib/ruby/3.2.0/net/http.rb:1575:in `get'\", \"/opt/sailpoint/lib/configuration.rb:654:in `block in check_networking'\", \"/opt/sailpoint/lib/configuration.rb:650:in `each'\", \"/opt/sailpoint/lib/configuration.rb:650:in `check_networking'\", \"/opt/sailpoint/run.rb:75:in `block in <main>'\", \"/opt/sailpoint/run.rb:65:in `loop'\", \"/opt/sailpoint/run.rb:65:in `<main>'\"]"}
{"@timestamp":"2024-04-05T09:35:30.173","level":"ERROR","type":"configuration","message":"Networking check results - Could not reach fiji.accessiq.sailpoint.com: SSL_connect returned=1 errno=0 peeraddr=52.20.115.131:443 state=error: certificate verify failed (self-signed certificate in certificate chain)\n[\"/usr/local/lib/ruby/3.2.0/net/protocol.rb:46:in `connect_nonblock'\", \"/usr/local/lib/ruby/3.2.0/net/protocol.rb:46:in `ssl_socket_connect'\", \"/usr/local/lib/ruby/3.2.0/net/http.rb:1342:in `connect'\", \"/usr/local/lib/ruby/3.2.0/net/http.rb:1248:in `do_start'\", \"/usr/local/lib/ruby/3.2.0/net/http.rb:1237:in `start'\", \"/usr/local/lib/ruby/3.2.0/net/http.rb:1817:in `request'\", \"/usr/local/lib/ruby/3.2.0/net/http.rb:1575:in `get'\", \"/opt/sailpoint/lib/configuration.rb:654:in `block in check_networking'\", \"/opt/sailpoint/lib/configuration.rb:650:in `each'\", \"/opt/sailpoint/lib/configuration.rb:650:in `check_networking'\", \"/opt/sailpoint/run.rb:75:in `block in <main>'\", \"/opt/sailpoint/run.rb:65:in `loop'\", \"/opt/sailpoint/run.rb:65:in `<main>'\"]"}
{"@timestamp":"2024-04-05T09:35:30.173","level":"INFO","type":"configuration","message":"Networking check results:\napp.datadoghq.com => ERROR\nfiji.identitynow.com => ERROR\nops-fiji.api.identitynow.com => PASS\npublic.update.flatcar-linux.net => ERROR\nsqs.us-east-1.amazonaws.com => ERROR\nfiji.accessiq.sailpoint.com => ERROR"}```

schattopadhy · April 5, 2024, 11:38am

check if curl -i htttps://yourtenanturl
gives any output if yes let me know

mathieug · April 5, 2024, 11:51am

Yes I have output :
sailpoint@sailpoint-va ~/log $ curl -i https://partner07.identitynow.com

HTTP/2 302
date: Fri, 05 Apr 2024 11:50:25 GMT
content-length: 0
location: https://partner07.identitynow.com/ui
set-cookie: AWSALB=QCZoyh78ArHTYSI4Ow3OsZX3vmltk1Wbeo5JZMc6JexYY9gdiO3/PclsSjtxWpZPhMh3t3LLsh631dU9H35gEAvN8RR3TQ1L7rdc4nToJapdOdWbWLy5ztkcHfV6; Expires=Fri, 12 Apr 2024 11:50:25 GMT; Path=/
slpt-request-id: 7e4d4e3a-8540-4883-be7d-eeeedc538d29
content-security-policy: default-src 'none'; base-uri 'self'; form-action 'none'; frame-ancestors 'none';
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
referrer-policy: no-referrer
x-frame-options: sameorigin
strict-transport-security: max-age=31536000; includeSubDomains
permissions-policy: camera=(), display-capture=(), fullscreen=(), geolocation=(), microphone=(), web-share=(),
x-robots-tag: noindex
cf-cache-status: DYNAMIC
set-cookie: AWSALBCORS=QCZoyh78ArHTYSI4Ow3OsZX3vmltk1Wbeo5JZMc6JexYY9gdiO3/PclsSjtxWpZPhMh3t3LLsh631dU9H35gEAvN8RR3TQ1L7rdc4nToJapdOdWbWLy5ztkcHfV6; Expires=Fri, 12 Apr 2024 11:50:25 GMT; Path=/; SameSite=None; Secure
set-cookie: CCSESSIONID=EE828AC832D6F7956A48006574919CCE; Path=/; Secure; HttpOnly
set-cookie: __cf_bm=LHFyHqofEtZ6FTyfEjh4utSpcYUr7kEHVdTKLf5SBeQ-1712317825-1.0.1.1-Z6f3CdPbRSmjsZI2RdJfH1V3HV6nwn9wAGbu00Da9UT4qLh.B7ckoJ6eqa2Px69.H_uCJuVciXp_Rys3YAbWUg; path=/; expires=Fri, 05-Apr-24 12:20:25 GMT; domain=.identitynow.com; HttpOnly; Secure; SameSite=None
server: cloudflare
cf-ray: 86f95204ed0311a5-MRS```

mathieug · April 8, 2024, 8:53am

Hi everyone,
I’m still trying to find a solution for this issue.
In the charon.log file I have the following errors:

{"@timestamp":"2024-04-08 08:47:02 +0000","level":"ERROR","type":"configuration","message":"Networking check results - Could not reach app.datadoghq.com: SSL_connect returned=1 errno=0 state=error: certificate verify failed\n[\"/usr/local/lib/ruby/2.3.0/net/protocol.rb:44:in `connect_nonblock'\", \"/usr/local/lib/ruby/2.3.0/net/protocol.rb:44:in `ssl_socket_connect'\", \"/usr/local/lib/ruby/2.3.0/net/http.rb:928:in `connect'\", \"/usr/local/lib/ruby/2.3.0/net/http.rb:863:in `do_start'\", \"/usr/local/lib/ruby/2.3.0/net/http.rb:852:in `start'\", \"/usr/local/lib/ruby/2.3.0/net/http.rb:1384:in `request'\", \"/usr/local/lib/ruby/2.3.0/net/http.rb:1142:in `get'\", \"/opt/sailpoint/lib/configuration.rb:689:in `block in check_networking'\", \"/opt/sailpoint/lib/configuration.rb:685:in `each'\", \"/opt/sailpoint/lib/configuration.rb:685:in `check_networking'\", \"/opt/sailpoint/run.rb:69:in `block in <main>'\", \"/opt/sailpoint/run.rb:59:in `loop'\", \"/opt/sailpoint/run.rb:59:in `<main>'\"]"}
{"@timestamp":"2024-04-08 08:47:02 +0000","level":"ERROR","type":"configuration","message":"Networking check results - Could not reach fiji.identitynow.com: SSL_connect returned=1 errno=0 state=error: certificate verify failed\n[\"/usr/local/lib/ruby/2.3.0/net/protocol.rb:44:in `connect_nonblock'\", \"/usr/local/lib/ruby/2.3.0/net/protocol.rb:44:in `ssl_socket_connect'\", \"/usr/local/lib/ruby/2.3.0/net/http.rb:928:in `connect'\", \"/usr/local/lib/ruby/2.3.0/net/http.rb:863:in `do_start'\", \"/usr/local/lib/ruby/2.3.0/net/http.rb:852:in `start'\", \"/usr/local/lib/ruby/2.3.0/net/http.rb:1384:in `request'\", \"/usr/local/lib/ruby/2.3.0/net/http.rb:1142:in `get'\", \"/opt/sailpoint/lib/configuration.rb:689:in `block in check_networking'\", \"/opt/sailpoint/lib/configuration.rb:685:in `each'\", \"/opt/sailpoint/lib/configuration.rb:685:in `check_networking'\", \"/opt/sailpoint/run.rb:69:in `block in <main>'\", \"/opt/sailpoint/run.rb:59:in `loop'\", \"/opt/sailpoint/run.rb:59:in `<main>'\"]"}
{"@timestamp":"2024-04-08 08:47:04 +0000","level":"ERROR","type":"configuration","message":"Networking check results - Could not reach public.update.flatcar-linux.net: SSL_connect returned=1 errno=0 state=error: certificate verify failed\n[\"/usr/local/lib/ruby/2.3.0/net/protocol.rb:44:in `connect_nonblock'\", \"/usr/local/lib/ruby/2.3.0/net/protocol.rb:44:in `ssl_socket_connect'\", \"/usr/local/lib/ruby/2.3.0/net/http.rb:928:in `connect'\", \"/usr/local/lib/ruby/2.3.0/net/http.rb:863:in `do_start'\", \"/usr/local/lib/ruby/2.3.0/net/http.rb:852:in `start'\", \"/usr/local/lib/ruby/2.3.0/net/http.rb:1384:in `request'\", \"/usr/local/lib/ruby/2.3.0/net/http.rb:1142:in `get'\", \"/opt/sailpoint/lib/configuration.rb:689:in `block in check_networking'\", \"/opt/sailpoint/lib/configuration.rb:685:in `each'\", \"/opt/sailpoint/lib/configuration.rb:685:in `check_networking'\", \"/opt/sailpoint/run.rb:69:in `block in <main>'\", \"/opt/sailpoint/run.rb:59:in `loop'\", \"/opt/sailpoint/run.rb:59:in `<main>'\"]"}
{"@timestamp":"2024-04-08 08:47:04 +0000","level":"ERROR","type":"configuration","message":"Networking check results - Could not reach sqs.us-east-1.amazonaws.com: SSL_connect returned=1 errno=0 state=error: certificate verify failed\n[\"/usr/local/lib/ruby/2.3.0/net/protocol.rb:44:in `connect_nonblock'\", \"/usr/local/lib/ruby/2.3.0/net/protocol.rb:44:in `ssl_socket_connect'\", \"/usr/local/lib/ruby/2.3.0/net/http.rb:928:in `connect'\", \"/usr/local/lib/ruby/2.3.0/net/http.rb:863:in `do_start'\", \"/usr/local/lib/ruby/2.3.0/net/http.rb:852:in `start'\", \"/usr/local/lib/ruby/2.3.0/net/http.rb:1384:in `request'\", \"/usr/local/lib/ruby/2.3.0/net/http.rb:1142:in `get'\", \"/opt/sailpoint/lib/configuration.rb:689:in `block in check_networking'\", \"/opt/sailpoint/lib/configuration.rb:685:in `each'\", \"/opt/sailpoint/lib/configuration.rb:685:in `check_networking'\", \"/opt/sailpoint/run.rb:69:in `block in <main>'\", \"/opt/sailpoint/run.rb:59:in `loop'\", \"/opt/sailpoint/run.rb:59:in `<main>'\"]"}
{"@timestamp":"2024-04-08 08:47:04 +0000","level":"ERROR","type":"configuration","message":"Networking check results - Could not reach fiji.accessiq.sailpoint.com: SSL_connect returned=1 errno=0 state=error: certificate verify failed\n[\"/usr/local/lib/ruby/2.3.0/net/protocol.rb:44:in `connect_nonblock'\", \"/usr/local/lib/ruby/2.3.0/net/protocol.rb:44:in `ssl_socket_connect'\", \"/usr/local/lib/ruby/2.3.0/net/http.rb:928:in `connect'\", \"/usr/local/lib/ruby/2.3.0/net/http.rb:863:in `do_start'\", \"/usr/local/lib/ruby/2.3.0/net/http.rb:852:in `start'\", \"/usr/local/lib/ruby/2.3.0/net/http.rb:1384:in `request'\", \"/usr/local/lib/ruby/2.3.0/net/http.rb:1142:in `get'\", \"/opt/sailpoint/lib/configuration.rb:689:in `block in check_networking'\", \"/opt/sailpoint/lib/configuration.rb:685:in `each'\", \"/opt/sailpoint/lib/configuration.rb:685:in `check_networking'\", \"/opt/sailpoint/run.rb:69:in `block in <main>'\", \"/opt/sailpoint/run.rb:59:in `loop'\", \"/opt/sailpoint/run.rb:59:in `<main>'\"]"}

The problem appears to be caused by an SSL certificate issue:

Any help would be really appreciated.

Thank you in advance.
Mathieu G

schattopadhy · April 8, 2024, 9:05am

1reboot the server
2-Delete the cluster
3 Create a new cluster
4- transfer the config and try again

Also if you have azure setup you can try there

mathieug · April 8, 2024, 12:04pm

What do you mean by reboot the server? Reboot the VA?
I already tried and unfortunately it didn’t solve the problem. I will try it at home with my personal computer and my local network and I will let you know.
Regards,
MathieuG

amansingh · April 10, 2024, 7:12pm

Have you had the chance to retry the VA deployment and have you followed this detailed documentation of Virtual-Appliance-Troubleshooting-Guide?

mathieug · April 11, 2024, 8:18am

Hello everyone,

I did a test on my personal laptop and everything works fine. The problem is with my company’s laptop. I’m working with them to fix it.

Thank you for your help,
Regards,
MathieuG

system · June 10, 2024, 8:18am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.