"Failed to connect to lookup service..." error when configuring the lookup service on the Cloud Director Availability appliances
Article ID: 315171
Updated On:
Products
VMware Cloud Director
VMware vCenter Server
Issue/Introduction
- During the initial configuration of a Cloud Director Availability appliance, configuring the lookup service fails and you see a similar error:
Failed to connect to lookup service at https://PSC_Address:443/lookupservice/sdk
- In /opt/vmware/h4/<cloud|manager|replicator|tunnel>/log/<cloud|manager|replicator|tunnel>.log on the Cloud Director Availability appliance, you see a similar error:
YYYY-MM-DD HH:MM:SS.470 ERROR - [UI__55ef4eba-xxx-444a-9fcb-xxxx_gh] [https-jsse-nio-xxxx] c.v.h4.common.service.BaseConfigService : Failed to connect to lookup service at https://PSC_Address:443/lookupservice/sdk.
com.vmware.exception.GenericSSLException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain is not trusted and thumbprint verification is not configured
at com.vmware.exception.converter.ClientExceptionConverter.convertException(ClientExceptionConverter.java:64)
at com.vmware.vlsi.util.ExceptionConverterInterceptor.handleException(ExceptionConverterInterceptor.java:30)
at com.vmware.vim.vmomi.client.common.impl.ResponseImpl.setError(ResponseImpl.java:254)
...
Caused by: com.vmware.vim.vmomi.core.exception.CertificateValidationException: SSL handshake from 0.0.0.0/0.0.0.0:59746 to PSC_Address:443 failed in 113 ms
at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager$HostnameVerifier.handleHandshakeException(ThumbprintTrustManager.java:597)
at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager$HostnameVerifier.verify(ThumbprintTrustManager.java:422)
at com.vmware.vim.vmomi.client.http.impl.VlsiSslSocketFactory.verifyHostname(VlsiSslSocketFactory.java:129)
at com.vmware.vim.vmomi.client.http.impl.VlsiSslSocketFactory.createLayeredSocket(VlsiSslSocketFactory.java:122)
com.vmware.exception.GenericSSLException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain is not trusted and thumbprint verification is not configured
at com.vmware.exception.converter.ClientExceptionConverter.convertException(ClientExceptionConverter.java:64)
at com.vmware.vlsi.util.ExceptionConverterInterceptor.handleException(ExceptionConverterInterceptor.java:30)
at com.vmware.vim.vmomi.client.common.impl.ResponseImpl.setError(ResponseImpl.java:254)
...
Caused by: com.vmware.vim.vmomi.core.exception.CertificateValidationException: SSL handshake from 0.0.0.0/0.0.0.0:59746 to PSC_Address:443 failed in 113 ms
at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager$HostnameVerifier.handleHandshakeException(ThumbprintTrustManager.java:597)
at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager$HostnameVerifier.verify(ThumbprintTrustManager.java:422)
at com.vmware.vim.vmomi.client.http.impl.VlsiSslSocketFactory.verifyHostname(VlsiSslSocketFactory.java:129)
at com.vmware.vim.vmomi.client.http.impl.VlsiSslSocketFactory.createLayeredSocket(VlsiSslSocketFactory.java:122)
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Environment
VMware vCenter Server 6.7.x
VMware vCenter Server 6.5.x
VMware vCenter Server 7.0.x
VMware vCenter Server 6.5.x
VMware vCenter Server 7.0.x
Cause
This issue can occur when:
- The machine SSL certificate of a vCenter Server certificate differs from the certificate stored in the lookup service.
- The lookup service certificate on port 443 differs to the certificate on port 7444.
- The VCDA self-signed certificates are expired for any of the component like: VCDA replicator, tunnel or manager.
Resolution
To verify you are encountering vCenter/lookup service certificate issues, perform the following checks:
Lookup service certificate mismatch
- SSH to the Cloud Director Availability On-Premises appliance and log in as root.
- Run the following commands against the Platform Services Controller:
openssl s_client -connect PSC_Address:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout
openssl s_client -connect PSC_Address:7444 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout
openssl s_client -connect PSC_Address:7444 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout
- Compare the outputs to determine if there is a mismatch.
vCenter Server certificate mismatch
- SSH to the Platform Services Controller and log in as root.
- Use the lstool script to get a list of the registered services on the PSC:
vSphere 6.x:
/usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost:7080/lookupservice/sdk > /tmp/services.txt
vSphere 7.0:
/usr/lib/vmware-lookupsvc/tools/lstool.py list --url http://localhost:7090/lookupservice/sdk > /tmp/services.txt
/usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost:7080/lookupservice/sdk > /tmp/services.txt
vSphere 7.0:
/usr/lib/vmware-lookupsvc/tools/lstool.py list --url http://localhost:7090/lookupservice/sdk > /tmp/services.txt
- Open the services.txt file and search for the following section:
Service Type: vcenterserver
- Take note of the endpoint certificate for the service.
- Run the following command against the vCenter Server:
openssl s_client -connect vCenter_Address:443 < /dev/null 2>/dev/null | openssl x509
- Compare the certificates from steps 4 and 5 to determine if there is a mismatch.
To resolve any certificate mismatch issues use lsdoctor -t tool to fix the mismatch. Using the 'lsdoctor' Tool
Additional Information
For more information on vSphere certificate issues, see:
- vCenter Server certificate validation error for external solutions in environments with vCenter Server 7.0
- vCenter Server or Platform Services Controller certificate validation error messages for external solutions in environments with a External Platform Services Controller
Impact/Risks:
Warning: Incorrectly updating the certificate information of service registrations may break the functionality of that service.
Feedback
Yes
No
Powered by
