Sending Authentication Certificate Registration Request from the Security Server to the Central Server Fails
Problem
Sending authentication certificate registration request from the Security Server to the Central Server fails. The below error is logged in the /var/log/xroad/proxy_ui_api.log
log file:
Central server TLS certificate does not match in global conf.
Solution
The TLS certificate of Central Server's authentication certificate registration request interface (Central Server port 4001
) is distributed to Security Servers using global configuration. When the Security Server tries to establish a TLS connection to the interface, the Security Server verifies that the TLS certificate returned by the interface during TLS handshake matches with the certificate in the global configuration. If the certificates don't match, establishing TLS connection fails and the below error is returned:
Central server TLS certificate does not match in global conf.
Usually, the problem is caused by a reverse proxy sitting in front of the Central Server. If TLS termination is done by the reverse proxy, the connection fails because the reverse proxy's TLS certificate is not included in the global configuration and therefore, the Security Server doesn't trust it. The solution is to configure the reverse proxy to use SSL passthrough so that TLS termination takes place on the Central Server. The configuration details depend on the implementation of the reverse proxy and they vary between different solutions.
Using a reverse proxy in front of the Central Server is supported, but the reverse proxy must be configured to use SSL passthrough and TSL termination must take place on the Central Server, not on the reverse proxy.