Skip to main content

Workload failure: "Error cannot decrypt peer's message"

Updated

Overview

When an Aembit Agent attempts to intercept a client's TLS traffic, you may see a connection error stating 'Error cannot decrypt peer's message'. This means the Aembit Agent Proxy is unable to decrypt and manage the encrypted communication from the client workload to the server workload.

Cause

This error is a cryptographic failure that happens when there is a mismatch between the certificate presented by the Aembit Agent Proxy and the trusted certificate on the client workload.

Aembit's TLS Decrypt feature works by having the Agent Proxy act as an intermediary for all client traffic. It presents a certificate (either the Aembit tenant certificate or a customer-managed TLS certificate) to the client. The client workload must trust this certificate to establish a secure, encrypted connection with the agent. The 'Error cannot decrypt peer's message' specifically occurs because the client workload receives an encrypted message from the Agent Proxy but cannot find a valid, matching certificate in its trust store to decrypt it.

Common reasons for this mismatch include:

  • The wrong certificate is installed on the client workload.
  • The certificate file is corrupted or incomplete.
  • The certificate's file path is incorrect in the client's configuration.
  • The client's trust store or application is not configured to use the provided certificate.

Solution

To resolve this, you must ensure the correct and uncorrupted TLS certificate is properly configured on the client workload. Follow these steps:

  1. Verify the Certificate: Confirm the certificate file on the client workload is the exact one intended for this operation.
  2. Check for Corruption: Use a tool like openssl to verify the certificate's integrity. For example, run openssl x509 -in your_certificate.crt -text -noout on the client to check for errors.
  3. Confirm File Path and Permissions: Ensure the client workload's configuration points to the correct path of the certificate file and that the workload has the necessary read permissions to access it.
  4. Update Client Trust Store: Ensure the client's trust store or application is configured to trust the certificate. This may involve adding the certificate to a system-wide trust store or specifying it in the application's connection settings.

By performing these steps, you can eliminate the decryption failure and allow the client to successfully establish a secure, decrypted connection through the Aembit Agent Proxy.

 

 

Powered by Zendesk