GitHub user d-chatterjee60 added a comment to the discussion: 4.22.1.0 KVM — 
agent SSL handshake fails, cert-import leaves agent self-signed

@weizhouapache and @TheKunalSen Thanks for your suggestions and for taking the 
time to help.

I tried setting `ca.plugin.root.auth.strictness=false` and also using 
**Provision host security keys**, but in my case the root cause turned out to 
be unrelated to the CA plugin.

The actual issue was an **MTU mismatch** between the management server and the 
KVM host network. Because of the MTU problem, the TLS handshake packets were 
not being transmitted correctly, which caused the `NEED_UNWRAP` timeout during 
the SSL handshake. After correcting the MTU configuration and ensuring both 
sides used the same MTU, the agent successfully received the management-signed 
certificate and the host was added without any issues.

Thanks again for your help—I really appreciate it. Hopefully this information 
will also help anyone else who encounters the same symptoms.


GitHub link: 
https://github.com/apache/cloudstack/discussions/13572#discussioncomment-17602196

----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to: [email protected]

Reply via email to