- Overview
- Requirements
- Installation
- Q&A: Deployment templates
- Configuring the machines
- Configuring the external objectstore
- Configuring an external Docker registry
- Configuring the load balancer
- Configuring the DNS
- Configuring Microsoft SQL Server
- Configuring the certificates
- Online multi-node HA-ready production installation
- Offline multi-node HA-ready production installation
- Disaster recovery - Installing the secondary cluster
- Downloading the installation packages
- install-uipath.sh parameters
- Enabling Redis High Availability Add-On for the cluster
- Document Understanding configuration file
- Adding a dedicated agent node with GPU support
- Adding a dedicated agent Node for Task Mining
- Connecting Task Mining application
- Adding a Dedicated Agent Node for Automation Suite Robots
- Post-installation
- Cluster administration
- Monitoring and alerting
- Migration and upgrade
- Migration options
- Step 1: Moving the Identity organization data from standalone to Automation Suite
- Step 2: Restoring the standalone product database
- Step 3: Backing up the platform database in Automation Suite
- Step 4: Merging organizations in Automation Suite
- Step 5: Updating the migrated product connection strings
- Step 6: Migrating standalone Insights
- Step 7: Deleting the default tenant
- Performing a single tenant migration
- Product-specific configuration
- Best practices and maintenance
- Troubleshooting
- How to troubleshoot services during installation
- How to uninstall the cluster
- How to clean up offline artifacts to improve disk space
- How to clear Redis data
- How to enable Istio logging
- How to manually clean up logs
- How to clean up old logs stored in the sf-logs bucket
- How to disable streaming logs for AI Center
- How to debug failed Automation Suite installations
- How to delete images from the old installer after upgrade
- How to automatically clean up Longhorn snapshots
- How to disable TX checksum offloading
- How to manually set the ArgoCD log level to Info
- How to generate the encoded pull_secret_value for external registries
- How to address weak ciphers in TLS 1.2
- How to work with certificates
- Unable to run an offline installation on RHEL 8.4 OS
- Error in downloading the bundle
- Offline installation fails because of missing binary
- Certificate issue in offline installation
- First installation fails during Longhorn setup
- SQL connection string validation error
- Prerequisite check for selinux iscsid module fails
- Azure disk not marked as SSD
- Failure after certificate update
- Antivirus causes installation issues
- Automation Suite not working after OS upgrade
- Automation Suite requires backlog_wait_time to be set to 0
- GPU node affected by resource unavailability
- Volume unable to mount due to not being ready for workloads
- Support bundle log collection failure
- Failure to upload or download data in objectstore
- PVC resize does not heal Ceph
- Failure to resize PVC
- Failure to resize objectstore PVC
- Rook Ceph or Looker pod stuck in Init state
- StatefulSet volume attachment error
- Failure to create persistent volumes
- Storage reclamation patch
- Backup failed due to TooManySnapshots error
- All Longhorn replicas are faulted
- Setting a timeout interval for the management portals
- Update the underlying directory connections
- Authentication not working after migration
- Kinit: Cannot find KDC for realm <AD Domain> while getting initial credentials
- Kinit: Keytab contains no suitable keys for *** while getting initial credentials
- GSSAPI operation failed due to invalid status code
- Alarm received for failed Kerberos-tgt-update job
- SSPI provider: Server not found in Kerberos database
- Login failed for AD user due to disabled account
- ArgoCD login failed
- Failure to get the sandbox image
- Pods not showing in ArgoCD UI
- Redis probe failure
- RKE2 server fails to start
- Secret not found in UiPath namespace
- ArgoCD goes into progressing state after first installation
- Issues accessing the ArgoCD read-only account
- MongoDB pods in CrashLoopBackOff or pending PVC provisioning after deletion
- Unhealthy services after cluster restore or rollback
- Pods stuck in Init:0/X
- Prometheus in CrashloopBackoff state with out-of-memory (OOM) error
- Missing Ceph-rook metrics from monitoring dashboards
- Pods cannot communicate with FQDN in a proxy environment
- Failure to configure email alerts post upgrade
- Document Understanding not on the left rail of Automation Suite
- Failed status when creating a data labeling session
- Failed status when trying to deploy an ML skill
- Migration job fails in ArgoCD
- Handwriting recognition with intelligent form extractor not working
- Failed ML skill deployment due to token expiry
- Running High Availability with Process Mining
- Process Mining ingestion failed when logged in using Kerberos
- Unable to connect to AutomationSuite_ProcessMining_Warehouse database using a pyodbc format connection string
- Airflow installation fails with sqlalchemy.exc.ArgumentError: Could not parse rfc1738 URL from string ''
- How to add an IP table rule to use SQL Server port 1433
- Using the Automation Suite Diagnostics Tool
- Using the Automation Suite support bundle
- Exploring Logs
Automation Suite on Linux installation guide
How to work with certificates
openssl commands to validate a chain of certificates (CA, intermediate, and server), and separate or combine certificates.
You can bring certificates as follows:
-
Scenario 1: Three crt/pem files including CA, intermediate, and server certs and a private key.
-
Scenario 2: Two crt/pem files including CA and server certs and a private key.
-
Scenario 3: One pfx file containing all CA/intermediate and server certs and a private key.
The following table describes the used file names:
|
File name |
Description |
|---|---|
|
|
A CA certificate. |
|
|
An intermediate certificate. |
|
|
A certificate containing CA and intermediate certificates. |
|
|
A server certificate. |
|
|
A private key used to generate the
server.crt.
|
|
|
A pfx certificate file containing CA, intermediate, server certificates, and the server private key. |
When you bring three different cert files (CA, intermediate, and server), take the following steps for validation:
-
Combine the CA with the intermediate certs (applicable only for Scenario 1).
cp ca.crt ca-bundle.crt cat intermediate.crt >> ca-bundle.crtcp ca.crt ca-bundle.crt cat intermediate.crt >> ca-bundle.crt -
Check the server cert contains (specifically the
subject alternative namesandvalidityfields.openssl x509 -in server.crt -text -nooutopenssl x509 -in server.crt -text -noout -
Check if the server cert was signed by the CA server.
openssl verify -CAfile ca-bundle.crt server.crtopenssl verify -CAfile ca-bundle.crt server.crtOutput:
server.crt: OKserver.crt: OK -
Check if the server cert was generated by the server private key by comparing the md5 hashes. If the following commands' outputs match, then it validates that the server cert was generated using the private key.
openssl x509 -noout -modulus -in server.crt | openssl md5openssl x509 -noout -modulus -in server.crt | openssl md5Server cert output:
(stdin)= c9b0c5c3fe11b0b09947415236c4a441(stdin)= c9b0c5c3fe11b0b09947415236c4a441openssl rsa -noout -modulus -in server.key | openssl md5openssl rsa -noout -modulus -in server.key | openssl md5Server private key output:
(stdin)= c9b0c5c3fe11b0b09947415236c4a441(stdin)= c9b0c5c3fe11b0b09947415236c4a441
-
Generate the pfx file from the server cert and the private key. Once the following command is run, you are prompted to type a passcode twice. Thepasscode is always required to decrypt the pfx file.
openssl pkcs12 -inkey server.key -in server.crt -export -out server.pfxopenssl pkcs12 -inkey server.key -in server.crt -export -out server.pfxOutput:
Enter Export Password: Verifying - Enter Export Password:Enter Export Password: Verifying - Enter Export Password:
When you bring one certificate in pfx format containing CA, intermediate, server, and private key, you can use the pfx file as an identity token signing certificate, but you must break the pfx file into multiple cert files. The following steps describe how to break the pfx file accordingly.
-
Export the CA certificate (including intermediate if provided in the pfx file):
openssl pkcs12 -in server.pfx -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ca.crtopenssl pkcs12 -in server.pfx -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ca.crt -
Export the server certificate:
openssl pkcs12 -in server.pfx -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > server.crtopenssl pkcs12 -in server.pfx -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > server.crt -
Export the private key:
openssl pkcs12 -in server.pfx -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > server.keyopenssl pkcs12 -in server.pfx -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > server.key
