Overview
This article addresses failures in TLS decryption stemming from the Agent Proxy lacking the necessary Aembit Tenant Root CA certificate required to decrypt peer communication.
Relates To
Deployment Type: Kubernetes (Sidecar/Proxy Injection)
Feature: Aembit Managed TLS / TLS Decryption
Container:
aembit-agent-proxy
Cause (Common Symptoms)
Use this guide if the Agent Proxy is running but the logs/audit events show:
Error String:
"outcome":{"reason":"Failed to decrypt, cannot decrypt peer's message","result":"Error"}Symptom: Client Workload is unable to reach Server Workload target
Symptom: Secure traffic between workloads is failing with SSL/TLS handshake errors.
Investigation Step:
Validate Aembit Root CA Presence
The Agent Proxy container must retrieve and store your Aembit Tenant Root CA in its local trust store (See 'Configure TLS Decrypt') to manage traffic.
1. Access the Agent Proxy Container
kubectl -n <namespace> exec -it <Client-Workload-POD> -c aembit-agent-proxy -- bashROSA / OpenShift:
oc -n <namespace> exec -it <pod_name> -c aembit-agent-proxy -- bash2. Extract Certificates from the Trust Store Once inside the container, split the certificate bundle into individual files for inspection:
cd /tmp
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < /etc/ssl/certs/ca-certificates.crt3. Verify Aembit Root CA Search the extracted certificates for the Aembit Tenant entry:
for cert in cert-*.pem; do openssl x509 -in "$cert" -subject -noout; done | grep "Aembit"Successful Outcome: The output should return:
subject=CN = Aembit Tenant <TENANT_ID> Root CA, O = Aembit Inc, C = US, emailAddress = support@aembit.ioFailed Outcome: If no output is returned, the certificate was not successfully downloaded or injected.
Solution
To resolve the trust failure, you must add your specific Aembit Tenant Root CA to the trusted root store of the application environment for your client workload.
Step 1: Download the Tenant Root CA Navigate to the Aembit UI under Edge Components > TLS Decrypt > TLS Decrypt Root CA to download your Aembit Tenant Root CA certificate.
Step 2: Add to Trusted Root Store
The specific process for adding a CA certificate varies based on the operating system (e.g., Ubuntu, RHEL, Alpine) and the application runtime (e.g., Node.js, Python, Java) being used.
For detailed, step-by-step instructions on how to integrate the Aembit CA into your specific environment's trust store, please refer to the official Aembit documentation:
Aembit Documentation: Configure TLS Decrypt
Step 3: Verify the Application Configuration
If the workload is written in a language that maintains its own certificate store (such as Node.js, Python, or Java), ensure that your deployment includes the necessary environment variables or configuration flags to recognize the added CA.