Unable to deploy OVF using vSphere Client when a HTTPS Proxy is configured
search cancel

Unable to deploy OVF using vSphere Client when a HTTPS Proxy is configured

book

Article ID: 321922

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Unable to deploy OVF using vSphere Web client in vCenter Server 7.0 and above when using an HTTPS Proxy Server.

   For a similar issue, see "cannot authenticate SSL certificate for proxy" in Content Library for vCenter HTTPs Proxy Support

  • Exporting VM to OVF may result in an error 500 in the web browser.
  • When trying to deploy OVF/OVA through vCenter UI, may see error similar to below: 
    A general system error occurred:Transfer failed:Invalid response code: 503, note that HTTP/s proxy is configured for the transfer.
  • You see the following errors in /var/log/vmware/vpxd.log similar to:
  • Unrecognized SSL message, plaintext connection?, note that HTTP/s proxy is configured for the transfer
    [YYYY-MM-DDTHH:MM:SS] info vpxd[#####] [Originator@#### sub=Default opID=#######-##] [VpxLRO] -- ERROR task-###### -- <VMNAME> -- ResourcePool.ImportVAppLRO: vim.fault.OvfImportFailed:
--> Result:
--> (vim.fault.OvfImportFailed) {
-->  faultCause = (vmodl.fault.SystemError) {
-->   faultCause = (vmodl.MethodFault) null,
-->   faultMessage = (vmodl.LocalizableMessage) [
-->     (vmodl.LocalizableMessage) {
-->      key = "com.vmware.ovfs.ovfs-main.ovfs.transfer_failed",
-->      arg = (vmodl.KeyAnyValue) [
-->        (vmodl.KeyAnyValue) {
-->         key = "0",
-->         value = "Invalid response code: 403, note that HTTP/s proxy is configured for the transfer"
-->      message = "Transfer failed: Invalid response code: 403, note that HTTP/s proxy is configured for the transfer."
-->   reason = ""
-->   msg = "Transfer failed: Invalid response code: 403, note that HTTP/s proxy is configured for the transfer."
-->  faultMessage = <unset>
  • Error code above may also show for Invalid response code 503
  • You can also see the following messages in /var/log/vmware/content-library/cls.log 
    ovf.transfer_failed
Server not trusted: certificate_unknown(46), note that HTTP/S proxy is configured for the transfer

Environment

VMware vCenter Server 8.0.X
VMware vCenter Server 7.0.X

Cause

  • This issue occurs when the OVF deployment process is unable to connect to the proxy server with the error: 
    Transfer failed: Invalid response code: 403, note that HTTP/s proxy is configured for the transfer.
Transfer failed: Server not trusted, certificate unknown
  • This Invalid response code: 403 is a response from the PROXY server indicating that the resource you are attempting to reach is not allowed access.
  • The OVF transfer requires an HTTPS capable proxy when a proxy is in use. Ensure the proxy is HTTPS capable or use the workarounds below to bypass the proxy.

Resolution

    1. Currently there is no resolution. Please subscribe to this article to get informed when a fix is available.

Workaround:

  1. Disable to the Proxy in the vCenter VAMI 5480 as a test and try it again.  

Use one of the below methods (Note that the following is case sensitive):

  • Modify the HTTPS PROXY configuration to use HTTP:
    • Modify the /etc/sysconfig/proxy file. Change the HTTPS_PROXY line to update the value from https to http: 
      HTTPS_PROXY="https://proxy.example.com:3128/"

      to 

      HTTPS_PROXY="http://proxy.example.com:3128/"
    • If the FQDN of the proxy server does not work, you can alternatively use its IP address

       

    • Reboot the VCSA if you are on a version prior to 7.0 U1. Otherwise, restart services with the command:

      # service-control --stop --all && service-control --start --all

       

  • Add the hosts to the NO_PROXY config to bypass the proxy:

    • Connect to the vCenter Server with a SSH session

    • Modify the /etc/sysconfig/proxy file and add the ESXi host FQDN's or IP's to the following line, separated by a comma followed by a space character.

      NO_PROXY="localhost, 127.0.0.1, <hostname>.example.com"

    • Attempt the OVF deployment from the content library and the vSphere Client.

    • In some cases it can be necessary to reboot the vCenter Server to apply the change

Note:

Content library in vCenter 7.0U1c and newer versions include support to specify a CIDR notation (1.2.3.4/24)/netmask notation (1.2.3.4/255.255.255.0) or a wildcard with a leading full stop (".") as in  .*.vmware.com.

Please note that wildcard entries must start with a full stop. 

For File based Backup and Restore you need to explicitly mention FQDN/IP of backup server. For more information, see No_Proxy requirement for vCenter File based Backup and Restore

For example:

NO_PROXY="localhost, 127.0.0.1, .*.example.com, 10.0.0.1/24"


Using a wildcard proxy has its limitations:

  • File-based backup and restore may be affected.
  • VMware Appliance Management UI (VAMI) does not support adding a proxy/no-proxy with a wildcard. 
  • Linux commands like wget, curl do not support wildcard/CIDR/netmask notation in NO_PROXY.

Additional Information

This issue is being checked by Diagnostics for VMware Cloud Foundation.

The check is as follows:

  • Product: vCenter
  • Log File: vpxd.log
  • Log Expression Check "Transfer failed: Invalid response code: 403" AND "HTTP/s proxy is configured for the transfer"
Powered by Wolken Software