Zato Installation throwing "could not fetch the load balancer's configuration"


When trying to install Zato step-by-step as the quickstart does it, the UI throws an error of ‘Could not fetch the load balancer’s configuration’.

After comparing the configuration in detail to the quickstart one and the one created while running via the zato cli, the only issue that seems to be is the difference of the certificates.

It seems like zato has a different private key for each individual service (web-admin/load-balancer/serverN)

We have a wildcard certificate and key (*

  • private key (wildcard) -> public key can be generated from this.
  • certificate (wildcard)
  • CA certificate

How can we use that within the context of deploying zato?

The load-balancer is created as such:
zato create load_balancer /opt/zato/dev/load_balancer /opt/zato/dev/certs/PUBLICKEY.pem /opt/zato/dev/certs/PRIVATEKEY.pem /opt/zato/dev/certs/WILDCARDCERTIFICATE.pem /opt/zato/dev/certs/CACERTIFICATE.pem

What would be the best approach for us to go with? Would the above wildcard key/cert pair be sufficient or an individual set needs to be created for each service?

Hi @nikhil

Web-Admin cant access to xml-rpc lb-agent.

I have one server per component (web-admin, load-balancer, server-x) and it works fine and web-admin has access to the balancer configuration, I just had to change lb host


as @jupiter has already mentioned. Check that your lb_host is correct in the web admin.

You can check the logs for the web admin when you visit /zato/clusters It will spit out an error as to why you can’t get the lb config.

If you’re still stuck please can you post the result of the web-admin logs here and I can help you a bit better :slight_smile:

@giannis.katsini @jupiter
Thank you very much for your help.
So the error from the web-admin.log mentions the SSL Certificate verification failed. That was my initial thought as well hence the question on the SSL aspect.

How do i proceed further from this:

2017-10-27 00:09:43,201 - ERROR - 27387:MainThread - zato.admin.web.views.cluster:174 - Could not invoke agent, client:[<ServerProxy
 for localhost:20151/RPC2>], e:[Traceback (most recent call last):
  File "/opt/zato/2.0.8/code/zato-web-admin/src/zato/admin/web/views/", line 165, in index
    lb_config = client.get_config()
  File "/usr/lib64/python2.7/", line 1233, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib64/python2.7/", line 1587, in __request
  File "/usr/lib64/python2.7/", line 1273, in request
    return self.single_request(host, handler, request_body, verbose)
  File "/usr/lib64/python2.7/", line 1301, in single_request
    self.send_content(h, request_body)
  File "/usr/lib64/python2.7/", line 1448, in send_content
  File "/usr/lib64/python2.7/", line 975, in endheaders
  File "/usr/lib64/python2.7/", line 835, in _send_output
  File "/usr/lib64/python2.7/", line 797, in send
  File "/opt/zato/2.0.8/code/eggs/springpython-1.3.0rc1-py2.7.egg/springpython/remoting/", line 48, in connect
    self.sock = self.wrap_socket(sock)
  File "/opt/zato/2.0.8/code/eggs/springpython-1.3.0rc1-py2.7.egg/springpython/remoting/", line 56, in wrap_socket
  File "/usr/lib64/python2.7/", line 913, in wrap_socket
  File "/usr/lib64/python2.7/", line 588, in __init__
  File "/usr/lib64/python2.7/", line 810, in do_handshake
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)

Hi @nikhil,

I can see that others will help you out with the lb_host variable if it turns out to be needed to but to answer your specific question - yes, you can use just one set of public/private keys along with the certificate of the CA that was involved in signing the certificate that uses the keys.

The reason why they are all different by default is that in this way one has flexibility of what to do, either keep them separate or use a single one.

As for the CERTIFICATE_VERIFY_FAILED error - as mentioned in other replies, web-admin communicates with the load-balancer using that load-balancer’s agent, it’s basically a mini-server that accepts a very specific set of commands, validates them and passes them along to the load-balancer.

This agent needs its own public/private keys and certificate and this is the material that the ‘zato create load_balancer’ command accepts. Again, this crypto material can be then shared with any other component - it’s up to you how you break it down.

But what you also need to make sure of is that web-admin knows what CA signed the load-balancer agent’s certificate.

That is, when web-admin invokes the agent it needs to know what CA signed the agent’s certificate. That CA’s certificate is stored in /path/to/web/admin/config/repo/web-admin-ca-certs.pem. Simply place your CA’s certificate there, in PEM format, then stop/start web-admin and it will work.


Hi @dsuch

Thank you very much.
Using the same keys were definitely causing an issue.

Ended up creating individual private keys for each and it worked flawlessly.