Skip to content

Troubleshooting VEN connections

The 3 most common communication issues are:

  1. Invalid SSL certificate configuration
  2. Incorrect URL
  3. Registration failures

Each of these errors are configuration issues on the VEN side and should manifest as distinct error messages in the VEN. If you have communication issues, the first thing we will ask is: what errors do you see in your VEN log​? Please have this information ready before contacting support.

Troubleshooting tips for each common error are provided below.

SSL Certificates

Certificates for communicating with Canvas Cloud must come from Kyrio. A typical configuration will have the following 3 files:

  1. CA Bundle​: List of CA certificates from Kyrio used to validate signatures of certificates from Kyrio. Every VEN will have the same CA certificates.
  2. Certificate chain: ​Certificate with the public key and root and intermediate certificates used to sign the certificate. There will typically be 3 files concatenated to create this file.
  3. Private key: ​Private key which pairs with the public key in 2. This file should be protected and not shared.

Some certificate formats will combine the certificate chain and private key, leaving two files instead of 3.

If the CA bundle isn’t correct, a common error is ​SSL certificate problem: self signed certificate in certificate chain.

If the certificate chain or private key are incorrect, the SSL connection will fail with an error indicating an invalid certificate.

Another common error is ​certificate expired ​or an error indicating a certificate valid date is in the future. This can happen if the VEN hasn’t time synced before initiating communication to the VTN.

Incorrect URL

If the certificates are configured correctly, you may see errors at the http layer if the URL is incorrect. The most common error is a ​404 / not found​. Please review the VEN and verify the VTN URL is correct.

Once certificates and the VTN URL are configured correctly, the VEN should be able to exchange XML messages. If communication is still failing, check the oadrResponse object in the XML for a 4xx error. Failures at this point mean the VTN is unable to match the request from the VEN to a VEN record configured in the VTN. Check that the VEN name and/or VEN ID are correct in the VEN, and make sure the VEN fingerprint is configured correctly in the VTN. Read below for tips on finding the VEN fingerprint for 2.0b VENs.

When using a 2.0b VEN, check the failed registrations tab:

Here’s a sample failure on the failed registrations page. The certificate fingerprint is highlighted:

Failed Registration screenshot

Here’s a sample oadrResponse from the VTN:

    <ns3:responseDescription>Fingerprint does not match</ns3:responseDescription>