For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Open sourceSupportFAQsDocs Home
DocumentationAPI referenceRelease notes
DocumentationAPI referenceRelease notes
  • Platform On-Prem
    • Overview
    • Navigate
        • Overview
          • Overview
          • Install
          • Configure
          • kv-v2 secrets engine
          • Create secrets
          • Automatically encrypt properties
          • Manually encrypt properties
          • Troubleshoot
    • Search resources
  • Apps
    • FlowAI
    • Itential Automation Gateway
  • Resources
    • Itential Academy
    • Version lifecycle
    • Itential MCP
    • Accessibility conformance
    • Get support
    • FAQs
LogoLogo
Open sourceSupportFAQsDocs Home
On this page
  • Troubleshoot
  • Add the Vault certificate chain to Platform
  • Further Reading
Platform On-PremControl accessSecretsHashiCorp Vault

Troubleshoot Hashicorp issues

Was this page helpful?
Previous

Archive and purge data

Next
Built with
on-prem only

Troubleshoot

Itential Platform can encounter difficulties when connecting to HashiCorp Vault servers that use HTTPS. In such cases, the following error message is often logged by Itential Platform:

UNABLE_TO_VERIFY_LEAF_SIGNATURE

This occurs when Itential Platform does not recognize or cannot access the SSL certificate chain used by the affected Vault servers.

Add the Vault certificate chain to Platform

To fix this issue, perform the following steps on all Platform servers in your environment.

1

Create the certificate file

Create a file named vault.cert on your Platform server.

$touch vault.cert
2

Add certificate contents

Copy the contents of all SSL certificates used by Vault to the vault.cert file. For example, if your Vault server uses an end-user certificate, an intermediate certificate, and a root certificate, the resulting vault.cert file should look similar to the following:

-----BEGIN CERTIFICATE-----
<Content of end-user certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Content of intermediate certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Content of root certificate>
-----END CERTIFICATE-----
3

Move the certificate file

Move the vault.cert file to the /etc/pki/tls/certs directory.

$mv ./vault.cert /etc/pki/tls/certs
4

Set ownership

Assign ownership of the vault.cert file to the itential user.

$chown itential: /etc/pki/tls/certs/vault.cert
5

Set permissions

Make sure the itential user has read-only access to the vault.cert file. No access should be granted to any groups or other users (numeric permission 400).

$chmod 400 /etc/pki/tls/certs/vault.cert
6

Locate the service file

Determine the location of the Platform service file automation-platform.service by executing the systemctl status automation-platform command. In the following example, the service file is located at /usr/lib/systemd/system/automation-platform.service.

$[root@localhost itential]# systemctl status automation-platform 
$● automation-platform.service - Itential Platform Service
$    Loaded: loaded (/usr/lib/systemd/system/automation-platform.service; enabled; vendor preset: disabled)
$    Active: active (running) since Wed 2023-08-30 14:45:32 EDT; 1 weeks 4 days ago
$Main PID: 812873 (Pronghorn core)
$    Tasks: 302 (limit: 36528)
$    Memory: 3.5G
$    CGroup: /system.slice/automation-platform.service
$        ├─812873 Pronghorn core
$        ├─812955 Pronghorn AppArtifacts Application
$        ├─812983 Pronghorn AutomationCatalog Application
$        ├─812991 Pronghorn AutomationStudio Application
7

Add environment variable

Add the following environment variable to the automation-platform.service file. This gives Platform access to the vault.cert file that now contains your Vault certificate chain.

$Environment="NODE_EXTRA_CA_CERTS=/etc/pki/tls/certs/vault.cert"
8

Reload daemon

Reload the service daemon for the changes to take effect.

$systemctl daemon-reload
9

Restart Platform

Restart the Itential Platform service.

$systemctl restart automation-platform

Further Reading

For more information about integrating HashiCorp Vault with Itential Platform, refer to the HashiCorp Vault Encryption section of the documentation.