"Unable to find valid certification path to requested target" error when attempting to import a vApp Template into Cloud Director from an OVF URL
search cancel

"Unable to find valid certification path to requested target" error when attempting to import a vApp Template into Cloud Director from an OVF URL

book

Article ID: 325502

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

Symptoms:
  • Attempting to create a vApp Template in a Cloud Director Catalog using the option to import an OVF from a URL.
  • The OVF is located in an S3 bucket such as one backed by Cloud Director Object Storage Extension.
  • The vApp Template import task fails with an error in the /opt/vmware/vcloud-director/logs/vcloud-container-debug.log of the form:
  at com.vmware.ts.impl.TransferItemFileFuture.isDone(TransferItemFileFuture.java:154)
  at com.vmware.vcloud.common.future.FutureUtil.waitForFutureOrCancel(FutureUtil.java:134)
  at com.vmware.ssdc.backend.services.impl.VAppUploadManagerImpl.getOvfDescriptorFromSocket(VAppUploadManagerImpl.java:2965)
  at com.vmware.ssdc.backend.services.impl.VAppUploadManagerImpl.handleUploadOvfDescriptor(VAppUploadManagerImpl.java:2086)
  at com.vmware.ssdc.backend.services.impl.VAppUploadManagerImpl.handleUploadBody(VAppUploadManagerImpl.java:2030)
  at com.vmware.ssdc.backend.services.impl.VAppUploadManagerImpl.handleUpload(VAppUploadManagerImpl.java:1943)
  at com.vmware.ssdc.backend.services.impl.VAppUploadManagerImpl.executeTask(VAppUploadManagerImpl.java:5012)
  at com.vmware.vcloud.backendbase.management.system.TaskActivity$ExecutePhase$1.doInSecurityContext(TaskActivity.java:828)
  at com.vmware.vcloud.backendbase.management.system.TaskActivity$ExecutePhase$1.doInSecurityContext(TaskActivity.java:823)
  at com.vmware.vcloud.backendbase.management.system.SecurityContextTemplate.executeForOrgAndUser(SecurityContextTemplate.java:48)
  at com.vmware.vcloud.backendbase.management.system.TaskActivity$ExecutePhase.execute(TaskActivity.java:830)
  at com.vmware.vcloud.backendbase.management.system.TaskActivity$ExecutePhase.invokeInner(TaskActivity.java:726)
  at com.vmware.vcloud.backendbase.management.system.TaskActivity$TaskActivityBasePhase.invoke(TaskActivity.java:342)
  at com.vmware.vcloud.activity.executors.ActivityRunner.runPhase(ActivityRunner.java:175)
  at com.vmware.vcloud.activity.executors.ActivityRunner.run(ActivityRunner.java:112)
  at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
  at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
  at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
  at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
  at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


Environment

VMware Cloud Director 10.x

Cause

Cloud Director will not import an OVF from URL unless it can trust the certificate presented when connecting to the remote endpoint.

Resolution

Ensure that Cloud Director can connect to the URL provided for the OVF import by ensuring that the remote endpoint provides a signed certificate or by importing the remote endpoint's certificate to Cloud Director's Trusted Certificates manually.

To manually import the certificate take the following steps:

  1. Log into the Cloud Director Provider UI and navigate to Administration > Certificate Management > Trusted Certificates.
  2. Click the Test Remote Connection option, enter the URL from which the OVF is to be imported.
  3. Use HTTPS for the Hostname verification algorithm and click Connect.
  4. Trust the certificate returned to import it into Cloud Director's Trusted Certificates.
  5. Retry the Test Remote Connection and confirm that Cloud Director returns that the connection established successfully.
  6. The vApp Template import of OVF from URL should succeed now that Cloud Director trusts the remote endpoint's certificate.


Powered by Wolken Software