vSphere Integrated Container Appliance Install Using Signed Certificates Fails
search cancel

vSphere Integrated Container Appliance Install Using Signed Certificates Fails

book

Article ID: 308356

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Symptoms:

The OVA deployment fails and the vCenter web client vsphere_client_virgo.log may report similar.

===========vsphere_client_virgo.log===========

[yyyy-MM-DDTHH:mm:ss.SSS-04:00] [ERROR] http-bio-9090-exec-10        70014733 103733 203506 c.v.vsphere.client.provisioning.ovf.impl.OvfDeployServiceImpl     OVF import session entered ERROR state. com.vmware.vsphere.client.provisioning.ovf.OvfSessionError: Transfer failed: The OVF descriptor is not available.

==========End Log==========

Location of VMware vCenter Server 6.0 log files (2110014)

The OVA deployment succeeds but the container management portal does not work.
The admiral.service reports the following. The admiral.service logs are located on the VIC appliance VM and are accessible with the following command journalctl -u admiral.service from the shell.

===========journal -u admiral.service===========

MMM dd hh:mm:ss FQDN.domain.local start_admiral.sh[735]: [5][I][yyyy-MM-DD HH:mm:ss.SSSZ][1][ServerX509TrustManager][<init>][Adding trust store 'custom-CA' (path: '/tmp/trusted_certificates.jks') to the trust manager...]

MMM dd hh:mm:ss FQDN.domain.local start_admiral.sh[735]: [6][W][yyyy-MM-DD HH:mm:ss.SSSZ][1][Utils][logWarning][Failed to read PKCS#8

 PEM file. file=/tmp/server.key]

==========End Log==========

 

 

Environment

VMware vSphere Integrated Containers 1.x

Cause

Certificate format is incorrect or corrupt.

Resolution

Validate that the private key used for the Management Portal is in PKCS #8  PrivateKeyInfo UNEncrypted Format.

The key file show following header and footer.

-----BEGIN PRIVATE KEY-----

### lines omitted for brevity ###

-----END PRIVATE KEY-----

If the key is not in the correct format, reach out to the security personnel responsible for key generation to have the key converted or re-generated in the needed format.

Note: The registry and file server uses the PKCS #1 SSLeay format. These keys can be identified by the following header and footer.

-----BEGIN RSA PRIVATE KEY-----

### lines omitted for brevity ###

-----END RSA PRIVATE KEY-----

If the key is in PKCS #1 SSLeay format then the key can be converted using tools like openssl and used for the management portal. The following example shows how to do this in openssl.

openssl pkcs8 -in keyfile.pem -topk8 -out convertedkey.pem -nocrypt

 

Powered by Wolken Software