https://communities.sas.com/t5/SAS-Viya/SAS-Viya-3-4-multiple-machines-intermediate-cert-Error-from/m-p/675776#M652 <P><a href="https://communities.sas.com/t5/user/viewprofilepage/user-id/180910">@Asif4862</a>&nbsp;.</P> <P>&nbsp;</P> <P>Do you have a firewall between those machines? Please run the following command on cas-worker-1 and show the output:</P> <P>&nbsp;</P> <PRE>curl -v -k https://host1.local:8200/v1/viya_inter/ca/pem</PRE> Mon, 10 Aug 2020 22:29:21 GMT alexal 2020-08-10T22:29:21Z https://communities.sas.com/t5/SAS-Viya/SAS-Viya-3-4-multiple-machines-intermediate-cert-Error-from/m-p/675737#M651 <P>Hello All, This is Asif<BR /><BR />I deployed SAS Viya 3.4 on multiple machines (Install MPP CAS on 2 hosts)<BR /><BR />Host1= CAS Controller and all services<BR />Host2= CAS worker<BR /><BR />During installation of SAS Viya 3.4 only one error is occurred on Host2 (cas-worker-1):</P> <P>&nbsp;</P> <P>"2020-08-10 12:19:08,892 p=10363 u=root |&nbsp; fatal: [cas-worker-1]: FAILED! =&gt; {"changed": true, "cmd": "/opt/sas/viya/home/SASSecurityCertificateFramework/bin/sas-crypto-management req-vault-cert --common-name host1.local --out-form jks --out-key /opt/sas/viya/config/etc/SASSecurityCertificateFramework/private/sas.jks --san-ip 127.0.0.1 --san-ip 172.31.0.13 --vault-addr <A href="https://host1.local:8200" target="_blank">https://host1.local:8200</A> --vault-token /opt/sas/viya/config/etc/SASSecurityCertificateFramework/tokens/staticcerts/default/vault.token --vault-cafile /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/trustedcerts.pem", "delta": "0:13:31.142453", "end": "2020-08-10 12:19:08.845065", "msg": "non-zero return code", "rc": 1, "start": "2020-08-10 12:05:37.702612", "stderr": "2020-08-10 12:06:07.828 INFO [Log.go:41] [sas-crypto-management-command] - {\"0\":\"[]\"} vaultcert.go:423 Will retry, but failed to get intermediate cert from Vault server.\n2020-08-10 12:06:38.831 INFO [Log.go:41] [sas-crypto-management-command] - {\"0\":\"[]\"} vaultcert.go:423 Will retry, but failed to get intermediate cert from Vault server.\n2020-08-10 12:07:10.832 INFO [Log.go:41] [sas-crypto-management-command] - {\"0\":\"[]\"} vaultcert.go:423 Will retry, but failed to get intermediate cert from Vault server.\n2020-08-10 12:07:44.834 INFO [Log.go:41] [sas-crypto-management-command] - {\"0\":\"[]\"} vaultcert.go:423 Will retry, but failed to get intermediate cert from Vault server.\n2020-08-10 12:08:22.835 INFO [Log.go:41] [sas-crypto-management-command] - {\"0\":\"[]\"} vaultcert.go:423 Will retry, but failed to get intermediate cert from Vault server.\n2020-08-10 12:09:08.837 INFO [Log.go:41] [sas-crypto-management-command] - {\"0\":\"[]\"} vaultcert.go:423 Will retry, but failed to get intermediate cert from Vault server.\n2020-08-10 12:10:10.838 INFO [Log.go:41] [sas-crypto-management-command] - {\"0\":\"[]\"} vaultcert.go:423 Will retry, but failed to get intermediate cert from Vault server.\n2020-08-10 12:11:44.840 INFO [Log.go:41] [sas-crypto-management-command] - {\"0\":\"[]\"} vaultcert.go:423 Will retry, but failed to get intermediate cert from Vault server.\n2020-08-10 12:14:22.841 INFO [Log.go:41] [sas-crypto-management-command] - {\"0\":\"[]\"} vaultcert.go:423 Will retry, but failed to get intermediate cert from Vault server.\n2020-08-10 12:19:08.843 ERROR [Log.go:57] [sas-crypto-management-command] - {\"0\":\"[]\"} vaultcert.go:99 After 511 seconds, failed to read viya_inter/ca/pem: Get <A href="https://host1.local:8200/v1/viya_inter/ca/pem" target="_blank">https://host1.local:8200/v1/viya_inter/ca/pem</A>: dial tcp 172.1.1.1:8200: i/o timeout", "stderr_lines": ["2020-08-10 12:06:07.828 INFO [Log.go:41] [sas-crypto-management-command] - {\"0\":\"[]\"} vaultcert.go:423 Will retry, but failed to get intermediate cert from Vault server.", "2020-08-10 12:06:38.831 INFO [Log.go:41] [sas-crypto-management-command] - {\"0\":\"[]\"} vaultcert.go:423 Will retry, but failed to get intermediate cert from Vault server.", "2020-08-10 12:07:10.832 INFO [Log.go:41] [sas-crypto-management-command] - {\"0\":\"[]\"} vaultcert.go:423 Will retry, but failed to get intermediate cert from Vault server.", "2020-08-10 12:07:44.834 INFO [Log.go:41] [sas-crypto-management-command] - {\"0\":\"[]\"} vaultcert.go:423 Will retry, but failed to get intermediate cert from Vault server.", "2020-08-10 12:08:22.835 INFO [Log.go:41] [sas-crypto-management-command] - {\"0\":\"[]\"} vaultcert.go:423 Will retry, but failed to get intermediate cert from Vault server.", "2020-08-10 12:09:08.837 INFO [Log.go:41] [sas-crypto-management-command] - {\"0\":\"[]\"} vaultcert.go:423 Will retry, but failed to get intermediate cert from Vault server.", "2020-08-10 12:10:10.838 INFO [Log.go:41] [sas-crypto-management-command] - {\"0\":\"[]\"} vaultcert.go:423 Will retry, but failed to get intermediate cert from Vault server.", "2020-08-10 12:11:44.840 INFO [Log.go:41] [sas-crypto-management-command] - {\"0\":\"[]\"} vaultcert.go:423 Will retry, but failed to get intermediate cert from Vault server.", "2020-08-10 12:14:22.841 INFO [Log.go:41] [sas-crypto-management-command] - {\"0\":\"[]\"} vaultcert.go:423 Will retry, but failed to get intermediate cert from Vault server.", "2020-08-10 12:19:08.843 ERROR [Log.go:57] [sas-crypto-management-command] - {\"0\":\"[]\"} vaultcert.go:99 After 511 seconds, failed to read viya_inter/ca/pem: Get <A href="https://host1.local:8200/v1/viya_inter/ca/pem" target="_blank">https://host1.local:8200/v1/viya_inter/ca/pem</A>: dial tcp 172.1.1.1:8200: i/o timeout"], "stdout": "", "stdout_lines": []}"</P> <P>&nbsp;</P> <P>2020-08-10 12:19:08,893 p=10363 u=root |&nbsp; NO MORE HOSTS LEFT *************************************************************</P> <P>2020-08-10 12:19:08,893 p=10363 u=root |&nbsp; PLAY RECAP *********************************************************************</P> <P>2020-08-10 12:19:08,893 p=10363 u=root |&nbsp; cas-worker-1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : ok=143&nbsp; changed=32&nbsp;&nbsp; unreachable=0&nbsp;&nbsp;&nbsp; failed=1&nbsp;&nbsp;</P> <P>2020-08-10 12:19:08,894 p=10363 u=root |&nbsp; deployTarget&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : ok=261&nbsp; changed=97&nbsp;&nbsp; unreachable=0&nbsp;&nbsp;&nbsp; failed=0&nbsp;&nbsp;</P> <P>2020-08-10 12:19:08,894 p=10363 u=root |&nbsp; localhost&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : ok=14&nbsp;&nbsp; changed=1&nbsp;&nbsp;&nbsp; unreachable=0&nbsp;&nbsp;&nbsp; failed=0&nbsp;&nbsp; <BR /><BR />Do you have any suggestion or recommendation how to resolve that specific error?</P> <P>&nbsp;</P> <P>Thanks in advance</P> <P><BR />Thanks,<BR />Asif</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 10 Aug 2020 19:43:05 GMT https://communities.sas.com/t5/SAS-Viya/SAS-Viya-3-4-multiple-machines-intermediate-cert-Error-from/m-p/675737#M651 Asif4862 2020-08-10T19:43:05Z https://communities.sas.com/t5/SAS-Viya/SAS-Viya-3-4-multiple-machines-intermediate-cert-Error-from/m-p/675776#M652 <P><a href="https://communities.sas.com/t5/user/viewprofilepage/user-id/180910">@Asif4862</a>&nbsp;.</P> <P>&nbsp;</P> <P>Do you have a firewall between those machines? Please run the following command on cas-worker-1 and show the output:</P> <P>&nbsp;</P> <PRE>curl -v -k https://host1.local:8200/v1/viya_inter/ca/pem</PRE> Mon, 10 Aug 2020 22:29:21 GMT https://communities.sas.com/t5/SAS-Viya/SAS-Viya-3-4-multiple-machines-intermediate-cert-Error-from/m-p/675776#M652 alexal 2020-08-10T22:29:21Z https://communities.sas.com/t5/SAS-Viya/SAS-Viya-3-4-multiple-machines-intermediate-cert-Error-from/m-p/675957#M653 <P><a href="https://communities.sas.com/t5/user/viewprofilepage/user-id/41748">@alexal</a>&nbsp;, actually you are right. There are firewall between two servers.&nbsp;<BR /><BR /></P> <P><SPAN>The firewall permission issue was related to the Security Group attached to the EC2 instances. The two instances are in different subnets. The Security Group attached to first instance did not have an inbound entry for traffic from the second instances subnet.</SPAN></P> <P><SPAN>I basically added an inbound rule to the first instances Security Group to allow traffic from second instances subnet.</SPAN></P> <P><SPAN>The second instances Security Group also allows traffic from first instances subnet.<BR /></SPAN></P> <P>&nbsp;</P> <P><SPAN>Once again thank you for your help</SPAN></P> <P><SPAN><BR /></SPAN>Thanks,<BR />Asif</P> Tue, 11 Aug 2020 16:45:30 GMT https://communities.sas.com/t5/SAS-Viya/SAS-Viya-3-4-multiple-machines-intermediate-cert-Error-from/m-p/675957#M653 Asif4862 2020-08-11T16:45:30Z https://communities.sas.com/t5/SAS-Viya/SAS-Viya-3-4-multiple-machines-intermediate-cert-Error-from/m-p/675958#M654 <P><a href="https://communities.sas.com/t5/user/viewprofilepage/user-id/180910">@Asif4862</a>&nbsp;,</P> <P>&nbsp;</P> <P>You're welcome. I'm glad the problem has been resolved.</P> Tue, 11 Aug 2020 16:47:17 GMT https://communities.sas.com/t5/SAS-Viya/SAS-Viya-3-4-multiple-machines-intermediate-cert-Error-from/m-p/675958#M654 alexal 2020-08-11T16:47:17Z https://communities.sas.com/t5/SAS-Viya/SAS-Viya-3-4-multiple-machines-intermediate-cert-Error-from/m-p/675960#M655 <P>Thanks&nbsp;<a href="https://communities.sas.com/t5/user/viewprofilepage/user-id/41748">@alexal</a>&nbsp; and appreciated <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P> Tue, 11 Aug 2020 16:49:01 GMT https://communities.sas.com/t5/SAS-Viya/SAS-Viya-3-4-multiple-machines-intermediate-cert-Error-from/m-p/675960#M655 Asif4862 2020-08-11T16:49:01Z