Skip to main content

Troubleshooting

This page describes the troubleshooting steps to take if you experience known problems in DAS, OPA, and self-hosted installations.

Self-hosted

This section focuses on the troubleshooting areas in self-hosted environment.

Problem #1

Sync failed ssh handshake failed ssh unknown fingerprint.

You received the following error:

2021-09-15 16:27 Sync failed: ssh: handshake failed: ssh: unknown fingerprint for bitbucket.org:22

Solution:

  1. Get the fingerprint from your Git SSH server.

    The SSH host key fingerprints from your Git SSH server can be found in one of the following links:

    Alternatively, you can run the following command in your terminal to fetch your git host's SSH key fingerprint: ssh-keyscan -p 22 GITHOST | ssh-keygen -lf -.

    Example:

    > ssh-keyscan -p 22 bitbucket.org | ssh-keygen -lf -
    2048 SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A bitbucket.org (RSA)
  2. Edit the settings configmap to add the fingerprint.

    Using Helm

    Filepath: charts/styra-das/values.yaml

    ...
    tenants:
    features:
    # By default, the decision logs are searchable for three days and retained
    # in storage for 14 days. These can be configured by updating below values (in hours).
    # `LOG_VIEW_LIMIT_TIME` (for searchable) and `DECISIONS_GC_HISTORY` (for retension)
    LOG_VIEW_LIMIT_TIME: 72h
    DECISIONS_GC_HISTORY: 336h
    GIT_SSH_KNOWN_FINGERPRINTS: SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A

    Using kubectl

    Filepath: ./settings.yaml

    # Please edit the object below. Lines beginning with a '#' will be ignored,
    # and an empty file will abort the edit. If an error occurs while saving this file will be
    # reopened with the relevant failures.
    kind: ConfigMap
    apiVersion: v1
    metadata:
    name: settings
    data:
    config.json: |-
    {
    "tenants": {
    "default": {
    "features": {
    "LOG_VIEW_LIMIT_TIME": 72,
    "DECISIONS_GC_HISTORY": 336, # <- don't forget this comma
    "GIT_SSH_KNOWN_FINGERPRINTS": "SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A"
    }
    }
    }
    db_url: "postgres://postgres/postgresdb?sslmode=disable"
    ...

Problem #2

To troubleshoot the Slack Integration feature, see the Slack Integration Troubleshooting page.

Open Policy Agent (OPA)

Problem #1

Unable to update OPA in Red Hat Enterprise Linux (RHEL) 7.

Solution:

The OPA v0.29.4 release changed the pre-built opa_linux_amd64 binary to better support WebAssembly-based policy execution. The change requires glibc 2.18+ and libgcc. RHEL 7 only supports up to glibc_2.17.

If you currently deploy the pre-built OPA binaries to RHEL 7, CentOS 7, and alpine-based Docker images, then update your automation to download opa_linux_amd64_static instead of opa_linux_amd64. Going forward, the opa_linux_amd64_static binary is recommended for systems that do not have the required system libraries.

If you currently build OPA from source and deploy to one of these systems, update your build to produce a statically linked executable by setting the CGO_ENABLED and WASM_ENABLED flags (for example, make build WASM_ENABLED=0 CGO_ENABLED=0).