"Failed to retrieve VSphere urn:vcloud:vimserver:{uuid} designated Certificate Authority (VMCA) certificate" error when attempting to connect to vCenter Server in Cloud Director
Article ID: 321468
Updated On:
Products
VMware Cloud Director
Issue/Introduction
Symptoms:
- Attempting to Edit the vCenter Server connection details in the Cloud Director Provider UI fails with an error of the form:
[ <REQUEST_UUID> ] Failed to retrieve VSphere urn:vcloud:vimserver:<VCENTER_UUID>'s designated Certificate Authority (VMCA) certificate. Please review KB 78885 to review and verify proper integration into your VSphere infrastructure. - Error response received from VCenter while trying to fetch VMCA
- Attempting to trust the vCenter Server certificates using the /opt/vmware/vcloud-director/bin/cell-management-tool trust-infra-certs --vsphere --unattended command fails with output of the form:
Downloading certificates for X host(s), including 1 vCenter(s):
vcenter.example.com [Download: FAILURE]
vcenter.example.com [Download: FAILURE]
- The /opt/vmware/vcloud-director/logs/cell-management-tool.log shows an error of the form:
| WARN | main | AutoTrustInfraCertificates | Couldn't fetch vmca from vcenter https://vcenter.example.com/api via VAPI /vcenter/certificate-authority/get-root Response status code: 403, Response body: {"error_type":"UNAUTHORIZED","messages":[{"args":[],"default_message":"Permission to perform this operation was denied.","id":"com.vmware.vapi.authorization.permission.denied"}]} |
...
| DEBUG | ForkJoinPool.commonPool-worker-5 | AutoTrustInfraCertificates | Could not connect to host: vcenter.example.com, certificates for this host will not be trusted. |
java.lang.ClassCastException: class sun.net.www.protocol.http.HttpURLConnection cannot be cast to class javax.net.ssl.HttpsURLConnection (sun.net.www.protocol.http.HttpURLConnection and javax.net.ssl.HttpsURLConnection are in module java.base of loader 'bootstrap')
at com.vmware.vcloud.trustedcertificates.cmt.CertificatesUtil.retrieveCertFromAIA(CertificatesUtil.java:124)
at com.vmware.vcloud.trustedcertificates.cmt.CertificatesUtil.getRootCaCert(CertificatesUtil.java:52)
at com.vmware.vcloud.trustedcertificates.cmt.AutoTrustInfraCertificates.downloadCertificate(AutoTrustInfraCertificates.java:534)
at com.vmware.vcloud.trustedcertificates.cmt.AutoTrustInfraCertificates.lambda$gatherCertificates$9(AutoTrustInfraCertificates.java:345)
...
| DEBUG | ForkJoinPool.commonPool-worker-5 | AutoTrustInfraCertificates | Could not connect to host: vcenter.example.com, certificates for this host will not be trusted. |
java.lang.ClassCastException: class sun.net.www.protocol.http.HttpURLConnection cannot be cast to class javax.net.ssl.HttpsURLConnection (sun.net.www.protocol.http.HttpURLConnection and javax.net.ssl.HttpsURLConnection are in module java.base of loader 'bootstrap')
at com.vmware.vcloud.trustedcertificates.cmt.CertificatesUtil.retrieveCertFromAIA(CertificatesUtil.java:124)
at com.vmware.vcloud.trustedcertificates.cmt.CertificatesUtil.getRootCaCert(CertificatesUtil.java:52)
at com.vmware.vcloud.trustedcertificates.cmt.AutoTrustInfraCertificates.downloadCertificate(AutoTrustInfraCertificates.java:534)
at com.vmware.vcloud.trustedcertificates.cmt.AutoTrustInfraCertificates.lambda$gatherCertificates$9(AutoTrustInfraCertificates.java:345)
- Manually performing the vCenter API call to get the certificates using the same vCenter Server user as Cloud Director fails:
curl -k -v -X GET https://vcenter.example.com/api/vcenter/certificate-authority/get-root -H "vmware-api-session-id: {session-id}"
HTTP/1.1 403 Forbidden
{"error_type":"UNAUTHORIZED","messages":[{"args":[],"default_message":"Permission to perform this operation was denied.","id":"com.vmware.vapi.authorization.permission.denied"}]}
HTTP/1.1 403 Forbidden
{"error_type":"UNAUTHORIZED","messages":[{"args":[],"default_message":"Permission to perform this operation was denied.","id":"com.vmware.vapi.authorization.permission.denied"}]}
- Performing the steps in the knowledge base article vCenter Server, ESXi and/or NSX are disconnected after a Cloud Director 10.1, 10.3 or 10.4 upgrade (78885) fail.
Environment
VMware Cloud Director 10.x
Cause
This error can occur if the vCenter Server user that Cloud Director is configured with does not have sufficient rights in vCenter to retrieve the certificates.
For example the vCenter user's Role must include the Right Certificates > Manage certificates in order to perform the API call successfully.
For example the vCenter user's Role must include the Right Certificates > Manage certificates in order to perform the API call successfully.
Resolution
To resolve the issue provide Cloud Director with a vCenter user with sufficient privileges, including the Right Certificates > Manage certificates.
Typically Cloud Director would be provided with a vCenter user using an Administrator Role, for more information see Attach a vCenter Server Instance Alone or Together with an NSX Manager Instance.
To verify outside of Cloud Director if the vCenter user has sufficient rights we can use curl to query the vCenter API.
- Login with the user that Cloud Director uses to connect to vCenter Server:
curl -k -v -X POST https://vcenter.example.com/api/session -u "[email protected]"
- From the response take the vmware-api-session-id value returned, for example:
vmware-api-session-id: <SESSION_UUID>
- Using this vmware-api-session-id, attempt to get the root certificate from he vCenter API:
curl -k -v -X GET https://vcenter.example.com/api/vcenter/certificate-authority/get-root -H "vmware-api-session-id: <SESSION_UUID>"
- A successful attempt will return a 200 OK response and the VMCA certificate, for example:
< HTTP/1.1 200 OK
< date: Tue, 11 Oct 2022 09:35:47 GMT
< content-type: application/json
< x-envoy-upstream-service-time: 242
< server: envoy
< transfer-encoding: chunked
<
"-----BEGIN CERTIFICATE-----\nMIIEHTCCAwWgAwIBAgIJANAReKyitL0gMA0GCSqGSIb3DQEBCwUAMIGZMQswCQYD\nVQQDDAJDQTEXMBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJkiaJk/IsZAEZ\nFgVsb2NhbDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExGzAZBgNV\nBAoMEnZjc2ExLnZjbG91ZC5sb2NhbDEbMBkGA1UECwwSVk13YXJlIEVuZ2luZWVy\naW5nMB4XDTIyMDYwNjA4NDcyOVoXDTMyMDYwMzA4NDcyOVowgZkxCzAJBgNVBAMM\nAkNBMRcwFQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxv\nY2FsMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEbMBkGA1UECgwS\ndmNzYTEudmNsb3VkLmxvY2FsMRswGQYDVQQLDBJWTXdhcmUgRW5naW5lZXJpbmcw\nggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwFLSwAOggvXvExnRkvPpG\nx9w2stjOm4F0bVSabyi79Txacm2U2zuhOFeRCIDU3ZoRbVZRY7bjUizG1MaDBlE4\n2foxik9WCQv4HzFjkBQnp6cQUaxRRL7tXiFxSoO5KTxRUI4ltG6dSEjykMr6ZtpG\nDzmnuMynbAQji0ecjY8oWKrUHCC4UukAUidRC22AuibUQxwmkegIjVKPF/0Qr2Sa\npirUrUrss1eCO79lXUY7a+I4icTQdnTCTEwPg0omOhPS0Gn3OgYjXn/Hgb22oJZk\n/3N+XP4KuogxNKfRoMJeruxLtB3/+tev+Fwv1lTK/07Fhc2+s6UvknvqM+1CVm0N\nAgMBAAGjZjBkMB0GA1UdDgQWBBQeazPReF4zA8eGOHxk23z/iVCkbDAfBgNVHREE\nGDAWgQ5lbWFpbEBhY21lLmNvbYcEfwAAATAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0T\nAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsFAAOCAQEAS6BnxAaxKfKAGvG2SETh\n7vHu0VguHbGY6VduItGRc965xzoppKZB7iSFKsoOKcVsVyAX0LpxWhG+32ugpcPK\nJn21lyTSqHKun57zaG8DqC28BueSPoZJWqlWD3QBWVyq1mb5Km5NLu++Qa6xGeqT\nfEhjdc1K/qxx3iqJNmI3u+uxXG9vtmB08QkZ/2IigAOltLs6D89IfjGVK/UFayxO\nvdT4prH0lyaq6xws/MeEcmt8E19K6HhSQbXzVX9DQrTwUbBFoGqqbYd/hrQvA+ot\n2bd3R8QhI9I6tjKxZAcur9Qy9jDFnrzuyXLRNJoZ9bNQ2nlQ7bXeIzSk26xHSIih\nWQ==\n-----END CERTIFICATE-----\n"
< date: Tue, 11 Oct 2022 09:35:47 GMT
< content-type: application/json
< x-envoy-upstream-service-time: 242
< server: envoy
< transfer-encoding: chunked
<
"-----BEGIN CERTIFICATE-----\nMIIEHTCCAwWgAwIBAgIJANAReKyitL0gMA0GCSqGSIb3DQEBCwUAMIGZMQswCQYD\nVQQDDAJDQTEXMBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJkiaJk/IsZAEZ\nFgVsb2NhbDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExGzAZBgNV\nBAoMEnZjc2ExLnZjbG91ZC5sb2NhbDEbMBkGA1UECwwSVk13YXJlIEVuZ2luZWVy\naW5nMB4XDTIyMDYwNjA4NDcyOVoXDTMyMDYwMzA4NDcyOVowgZkxCzAJBgNVBAMM\nAkNBMRcwFQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxv\nY2FsMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEbMBkGA1UECgwS\ndmNzYTEudmNsb3VkLmxvY2FsMRswGQYDVQQLDBJWTXdhcmUgRW5naW5lZXJpbmcw\nggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwFLSwAOggvXvExnRkvPpG\nx9w2stjOm4F0bVSabyi79Txacm2U2zuhOFeRCIDU3ZoRbVZRY7bjUizG1MaDBlE4\n2foxik9WCQv4HzFjkBQnp6cQUaxRRL7tXiFxSoO5KTxRUI4ltG6dSEjykMr6ZtpG\nDzmnuMynbAQji0ecjY8oWKrUHCC4UukAUidRC22AuibUQxwmkegIjVKPF/0Qr2Sa\npirUrUrss1eCO79lXUY7a+I4icTQdnTCTEwPg0omOhPS0Gn3OgYjXn/Hgb22oJZk\n/3N+XP4KuogxNKfRoMJeruxLtB3/+tev+Fwv1lTK/07Fhc2+s6UvknvqM+1CVm0N\nAgMBAAGjZjBkMB0GA1UdDgQWBBQeazPReF4zA8eGOHxk23z/iVCkbDAfBgNVHREE\nGDAWgQ5lbWFpbEBhY21lLmNvbYcEfwAAATAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0T\nAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsFAAOCAQEAS6BnxAaxKfKAGvG2SETh\n7vHu0VguHbGY6VduItGRc965xzoppKZB7iSFKsoOKcVsVyAX0LpxWhG+32ugpcPK\nJn21lyTSqHKun57zaG8DqC28BueSPoZJWqlWD3QBWVyq1mb5Km5NLu++Qa6xGeqT\nfEhjdc1K/qxx3iqJNmI3u+uxXG9vtmB08QkZ/2IigAOltLs6D89IfjGVK/UFayxO\nvdT4prH0lyaq6xws/MeEcmt8E19K6HhSQbXzVX9DQrTwUbBFoGqqbYd/hrQvA+ot\n2bd3R8QhI9I6tjKxZAcur9Qy9jDFnrzuyXLRNJoZ9bNQ2nlQ7bXeIzSk26xHSIih\nWQ==\n-----END CERTIFICATE-----\n"
If the user returns an error despite having the correct rights ensure that the rights are applied to the user either at the vCenter level in inventory or at the global level in vCenter -> Administration -> Global Permissions.
Additional Information
For more information on trusting vCenter Server certificates in Cloud Director see the knowledge base article here, vCenter Server, ESXi and/or NSX are disconnected after a Cloud Director 10.1, 10.3 or 10.4 upgrade (78885).
Feedback
Yes
No
Powered by
