inSync connector registration fails with Registration failed error
inSync connector registration fails with Registration failed error. This issue is mainly observed in networks that have proxy servers or SSL inspection.
Any of the following causes can lead to this error:
An SSL termination proxy in the network. SSL Termination Proxy handles the incoming SSL/TLS connections, decrypts the SSL/TLS, and passes on the unencrypted requests to the destination.
SSL/TLS termination proxy reduces the load on the main server by offloading the cryptographic processing to another system and supports the servers that do not support SSL/TLS. During this operation, the SSL termination proxy server decrypts the Server Hello packet and changes the Issuer attribute of the Druva certificate located in the cloud or the master server. The Server Hello packet is the network packet using which inSync Server sends its public certificate information to clients.
inSync AD connector is designed to trust those certificates that have been issued by a known CA. Druva cloud certificates are issued by:
For inSync Cloud: DigiCert SHA2 Secure Server CA,DigiCert Inc,US, Subject: *.druva.com,Cloud Operations,Druva, Inc.,Sunnyvale,California,US.
For inSync GovCloud: DigiCert SHA2 Secure Server CA,DigiCert Inc,US, Subject: Federal.druva.com ,Cloud Operations,Druva, Inc.,Sunnyvale,California,US.
If any certificate issued by any other issuer reaches the inSync connector, it will not be able to continue the registration process.
AD connector logs located in C:\inSyncADConnector\inSyncADConnector.log.
[2020-04-21 15:59:29,658] [DEBUG] Error validating server certificate for cloud.druva.com:443 - [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')] [2020-04-21 15:59:29,658] [ERROR] SSL/certificate error while validating the cloud server's certificate. Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')] [2020-04-21 15:59:29,658] [DEBUG] Error <class 'inSyncLib.inSyncError.SyncError'>:Network not reachable. (#100000022). Traceback -Traceback (most recent call last): File "inSyncLib\inSyncRPCServer.pyc", line 659, in serve File "inSyncLib\inSyncRPCBase.pyc", line 1275, in connect File "inSyncLib\inSyncRPCClient.pyc", line 391, in sslwrap SyncError: Network not reachable. (#100000022)
Take a network trace with the help of tools such as Microsoft Network Monitor or Wireshark, while reproducing the issue.
Look for the incoming Server Hello packet to get the information about the certificate that is passed through the entire network and eventually reaching the inSync Client.
Check the Issuer attribute in the certificate section of the Server Hello packet.
In the trace snippet below, the issuer of the certificate is the proxy server, as the packet has been examined and processed by the proxy server before it reaches the inSync Client.
Use one of the following options to resolve the backup failure:
- Whitelist *.druva.com in the proxy server with the help of the in-house networking team. This will exclude any SSL/TLS connection established by Druva.
- Turn off the SSL/TLS termination proxy feature from the proxy server or router.