Deploying a new BYOC Edge in Europe/Paris results in immediate health check failures. The edge reports ‘Connection refused’ to the Genesys Cloud core, despite valid SSL certificates and open ports. This blocks all inbound traffic routing.
Any insights into why the core rejects the handshake?
The main issue here is likely not the firewall but the certificate chain validation on the Genesys Cloud side. When deploying a BYOC Edge, the core service performs a strict TLS handshake verification. If the intermediate certificates are missing from the bundle uploaded to the edge, the connection is refused even if the leaf certificate matches the Common Name. This is a common issue when using automated certificate provisioning tools that only grab the end-entity cert. You need to ensure the full chain is included in the PEM file. Concatenate the leaf certificate, followed by any intermediate CAs, and finally the root CA if required by your specific region’s trust store configuration. The order matters significantly; leaf first, then intermediates. You can verify the chain locally using openssl s_client -connect <edge_ip>:443 -showcerts. If the handshake fails there, the core will definitely reject it. Another potential cause is the clock skew between the edge server and the Genesys Cloud infrastructure. NTP synchronization must be accurate within a few seconds. If the edge clock is off, the certificate validity check fails silently. Check the system time on the edge VM. Also, review the edge logs for TLS alert messages. They often provide the specific reason for the rejection, such as certificate_unknown or bad_certificate. Ensure the private key permissions are restricted to the edge service user only. Incorrect permissions can cause the edge daemon to fail to load the key, resulting in a connection refusal. Double-check the BYOC configuration in the admin portal to ensure the edge ID matches the one generated during the initial registration process. Mismatched IDs cause the core to reject the connection immediately.
Yep, this is a known issue… The certificate chain must be complete. Genesys Cloud validates the full path, not just the leaf cert. Missing intermediates cause immediate handshake rejection.