Known Issues
Here are a list of known issues you may encounter.
Chrome on Catalina encryption error accessing Ops Manager with a browser
Symptom
After upgrading to the Catalina OS, when you try to access your TAS environment via Chrome, you receive the following errors:
NET::ERR_CERT_INVALID
Possible Corrective Action
- After finding you cannot "click through" in Chrome, click anywhere on the page, type in
thisisunsafe, and it should let you through. We're not sure if this workaround will be available much longer. - Use a different browser, such as Safari, which should allow you to click on
visit this websiteon the error page.
Backround
The way Chrome handles bad or untrusted certificates is different in 10.15 as well as how OS X handles them. We are planning to use Lets Encrypt to generate the SSL certificates for OpsMan environments (done for GCP TAS environments). Even after changing the way SSL certificates are generated, if you have 'old' environments, you will need to either implement one of the workarounds listed above, or re-deploy your environments.
GCP Default Service Account was not found
Symptom
When your GCP Key is validated, you see the following error: "There are problems with the Default Service Account (Compute Engine) in your project."
You can validate this error by looking at the Service Accounts in your project. In order to programatically create VMs in your project, you need to have a Default Service account that looks similar to the following:
- email: [PROJECT_NUMBER]-compute@developer.gserviceaccount.com (example: 347516522354-compute@developer.gserviceaccount.com)
- name: Compute Engine default service account
- key ID: no keys are needed
If this Service Account does not exist in your project, you will not be able to programatically create VMs. You can further validate this if you try to create a VM via gcloud compute instances create example-instance-1 --zone us-central1-a
Possible Corrective Action
You may have inadvertently deleted your project's default GCP service account. GCP does not have official documentation on this issue. Experimentally, we have found the following procedure has been functional:
- If you deleted this account within the last 30 days, you can undelete the account following these instructions. Keep in mind you will need the
gcloudcli, and you will need to dig through your account activity to find the unique ID of your service account, which is not your project number.
If this doesn't work for you, we recommend you open a ticket with GCP or simply request that a new GCP project be created for you.
Bad Service Account Key when Tearing Down Environment
Symptom
You have received an error message or email from the Toolsmiths saying The Service Account key on file appears to be incorrect when your GCP Environment needs to be deleted. The GCP Service Account key that you provided when creating the environment has been rotated or deleted. Additionally, you may see your environment has the status of NEEDS NEW SAK (service account key). The automated tooling has tried to delete your environment, but we do not have a valid GCP Service Account for the GCP Project you are using. This results in an error related to permissions when deleting resources.
Possible Corrective Action
Your GCP Environment will need to be deleted. Please choose an option below:
Option 1. Delete the environment yourself (recommended)
- Use the leftovers utility
- Sample command:
leftovers --filter <env-name> -i gcp --gcp-service-account-key ~/Downloads/<your-key>.json --no-confirm - Then let Toolsmiths know you have deleted the environment so that we can release the DNS entry for others to use
Option 2. Let our automated tooling delete your environment
- Create a new GCP Service Account key
- Share it via LastPass with the
Toolsmithsgroup in LastPass- Sharing Center -> Manage the folder -> Invite Group "Toolsmiths"
- Click on 'tool' -> Share only the entry you created
- Ask Toolsmiths to update the key & tear down the environment