SAS Viya 4 AML - sas-consul-server Error

Jovian · Posted 12-17-2025 04:06 AM

Hi everyone,

I have currently deployed LTS 2025.03 Viya 4 with AML. I am using an external Postgres as the infra server named SharedServices and external Oracle DB with SID ECLAML.

I have deployed it in full-stack tls with IT provided certificates for both CA and Ingress. Which are properly being utilized( I have check the sas-ingres-certificate secret).

All services are working as expected and I am also able to connect viya to the DB via SAS Studio using the tnsnames.ora file mounted on the compute pod.

While trying to run the sas-aml-provisioning job i am getting the following error--

{"level":"fatal","version":1,"source":"sas-aml-provisioning-job","messageKey":"Error getting tenant job parameters from environment: GetPGClusters fails: GetServices failed, error: Get \"https://sas-consul-se                        rver:8500/v1/catalog/services\": tls: failed to verify certificate: x509: certificate signed by unknown authority","properties":{"logger":"aml-provisioning-job/main","caller":"sdsci/main.go:384"},"timeStamp":                        "2025-12-17T06:57:51.911751+00:00","message":"Error getting tenant job parameters from environment: GetPGClusters fails: GetServices failed, error: Get \"https://sas-consul-server:8500/v1/catalog/services\":                         tls: failed to verify certificate: x509: certificate signed by unknown authority"}
{"level":"error","version":1,"source":"sas-run-tool","messageKey":"sonder-log-icu.tool.executor.failed.starting.service.log","properties":{"logger":"tools/run","caller":"impl/executor.go:75"},"timeStamp":"202                        5-12-17T06:57:51.920265+00:00","message":"sonder-log-icu.tool.executor.failed.starting.service.log"}
{"level":"fatal","version":1,"source":"sas-run-tool","messageKey":"Service executor failed to execute successfully: exit status 1","properties":{"logger":"tools/run","caller":"impl/tooling.go:188"},"timeStamp                        ":"2025-12-17T06:57:51.920321+00:00","message":"Service executor failed to execute successfully: exit status 1"}

I am not sure as to why I am getting this error as this is a fresh install with pristine DB(s). I have especially create a new Oracle DB for this deployment.

Any ideas as to which pod/deploy/services I should check for this issue would help a ton.

Any help or suggesting would also be greatly appreciated.

gwootton · Posted 12-17-2025 02:06 PM

This failure is from the process trying to contact the SAS Configuration Server (consul) and failing because it doesn't trust the certificate the server is sending. This is an internal certificate and not what you provided for ingress.

The trust stores for this communication are built by the sas-certframe initContainer in the pod rather than a separate service. This container generates a certificate and key for the pod its running in as well as building a trust store that incorporates the Mozilla CA certs, any CAs you have provided, and the internal CA used to issue the certificates for internal communication. It is that last one that sounds like it is missing.

You should check the sas-certframe initContainer log for that specific pod for any issues.

--
Greg Wootton | Principal Systems Technical Support Engineer

SAS Viya 4 AML - sas-consul-server Error

Re: SAS Viya 4 AML - sas-consul-server Error