Unrecognized SSL message, plaintext connection?, note that HTTP/s proxy is configured for the transfer
[YYYY-MM-DDTHH:MM:SS] info vpxd[14866] [Originator@6876 sub=Default opID=2b691553-01] [VpxLRO] -- ERROR task-1978410 -- UPSA913s-x64-VM01-noV
APP -- ResourcePool.ImportVAppLRO: vim.fault.OvfImportFailed:
--> Result:
--> (vim.fault.OvfImportFailed) {
--> faultCause = (vmodl.fault.SystemError) {
--> faultCause = (vmodl.MethodFault) null,
--> faultMessage = (vmodl.LocalizableMessage) [
--> (vmodl.LocalizableMessage) {
--> key = "com.vmware.ovfs.ovfs-main.ovfs.transfer_failed",
--> arg = (vmodl.KeyAnyValue) [
--> (vmodl.KeyAnyValue) {
--> key = "0",
--> value = "Invalid response code: 403, note that HTTP/s proxy is configured for the transfer"
--> message = "Transfer failed: Invalid response code: 403, note that HTTP/s proxy is configured for the transfer."
--> reason = ""
--> msg = "Transfer failed: Invalid response code: 403, note that HTTP/s proxy is configured for the transfer."
--> faultMessage = <unset>
This issue occurs when the OVF deployment process is unable to connect to the proxy server with the error:
Transfer failed: Invalid response code: 403, note that HTTP/s proxy is configured for the transfer.
This Invalid response code: 403 is a response from the PROXY server indicating that the resource you are attempting to reach is not allowed access. The OVF transfer requires an HTTPS capable proxy when a proxy is in use. Ensure the proxy is HTTPS capable or use the workarounds below to bypass the proxy.
Currently there is no resolution. Please subscribe to this article to get informed when a fix is available.
Workaround:
To workaround this issue, use one of the below methods (Note that the following is case sensitive):
1. Modify the HTTPS PROXY configuration to use HTTP:
Modify the /etc/sysconfig/proxy
file. Change the HTTPS_PROXY line to update the value from https to http:
HTTPS_PROXY="https://proxy.example.com:3128/"
to
HTTPS_PROXY="http://proxy.example.com
:3128/"
If the FQDN of the proxy server does not work, you can alternatively use its IP address
Reboot the VCSA if you are on a version prior to 7.0 U1. Otherwise, restart services with the command:
# service-control --stop --all && service-control --start --al
l
2. Add the hosts to the NO_PROXY config to bypass the proxy:
Connect to the vCenter Server with a SSH session
Modify the /etc/sysconfig/proxy file and add the ESXi host FQDN's or IP's to the following line, separated by a comma followed by a space character.
For Example:
NO_PROXY="localhost, 127.0.0.1, <hostname>.example.com"
Attempt the OVF deployment from the content library and the vSphere Client.
Note:
Content library in vCenter 7.0U1c and newer include support to specify a CIDR notation (1.2.3.4/24)/netmask notation (1.2.3.4/255.255.255.0) or a wildcard with a leading full stop (".") as in .*.vmware.com.
Please note that wildcard entries must start with a full stop.
For File based Backup and Restore you need to explicitly mention FQDN/IP of backup server. For more information, see No_Proxy requirement for vCenter File based Backup and Restore (313480)
For example:
NO_PROXY="localhost, 127.0.0.1, .*.example.com, 10.0.0.1/24"
Using a wildcard proxy has its limitations:
- File-based backup and restore may be affected.
- VMware Appliance Management UI (VAMI) does not support adding a proxy/no-proxy with a wildcard.
- Not all components in vCenter accepts NO_PROXY with wildcard characters.
For example, Linux commands like wget, curl don't support wildcard/CIDR/netmask notation in NO_PROXY.
This issue is being checked by Diagnostics for VMware Cloud Foundation.
The check is as follows: