"Unable to find valid certification path to requested target" error when attempting to import a vApp Template into Cloud Director from an OVF URL
book
Article ID: 325502
calendar_today
Updated On:
Products
VMware Cloud Director
Issue/Introduction
Symptoms:
Attempting to create a vApp Template in a Cloud Director Catalog using the option to import an OVF from a URL.
The OVF is located in an S3 bucket such as one backed by Cloud Director Object Storage Extension.
The vApp Template import task fails with an error in the /opt/vmware/vcloud-director/logs/vcloud-container-debug.log of the form:
at com.vmware.ts.impl.TransferItemFileFuture.isDone(TransferItemFileFuture.java:154) at com.vmware.vcloud.common.future.FutureUtil.waitForFutureOrCancel(FutureUtil.java:134) at com.vmware.ssdc.backend.services.impl.VAppUploadManagerImpl.getOvfDescriptorFromSocket(VAppUploadManagerImpl.java:2965) at com.vmware.ssdc.backend.services.impl.VAppUploadManagerImpl.handleUploadOvfDescriptor(VAppUploadManagerImpl.java:2086) at com.vmware.ssdc.backend.services.impl.VAppUploadManagerImpl.handleUploadBody(VAppUploadManagerImpl.java:2030) at com.vmware.ssdc.backend.services.impl.VAppUploadManagerImpl.handleUpload(VAppUploadManagerImpl.java:1943) at com.vmware.ssdc.backend.services.impl.VAppUploadManagerImpl.executeTask(VAppUploadManagerImpl.java:5012) at com.vmware.vcloud.backendbase.management.system.TaskActivity$ExecutePhase$1.doInSecurityContext(TaskActivity.java:828) at com.vmware.vcloud.backendbase.management.system.TaskActivity$ExecutePhase$1.doInSecurityContext(TaskActivity.java:823) at com.vmware.vcloud.backendbase.management.system.SecurityContextTemplate.executeForOrgAndUser(SecurityContextTemplate.java:48) at com.vmware.vcloud.backendbase.management.system.TaskActivity$ExecutePhase.execute(TaskActivity.java:830) at com.vmware.vcloud.backendbase.management.system.TaskActivity$ExecutePhase.invokeInner(TaskActivity.java:726) at com.vmware.vcloud.backendbase.management.system.TaskActivity$TaskActivityBasePhase.invoke(TaskActivity.java:342) at com.vmware.vcloud.activity.executors.ActivityRunner.runPhase(ActivityRunner.java:175) at com.vmware.vcloud.activity.executors.ActivityRunner.run(ActivityRunner.java:112) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:829) Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Environment
VMware Cloud Director 10.x
Cause
Cloud Director will not import an OVF from URL unless it can trust the certificate presented when connecting to the remote endpoint.
Resolution
Ensure that Cloud Director can connect to the URL provided for the OVF import by ensuring that the remote endpoint provides a signed certificate or by importing the remote endpoint's certificate to Cloud Director's Trusted Certificates manually.
To manually import the certificate take the following steps:
Log into the Cloud Director Provider UI and navigate to Administration > Certificate Management > Trusted Certificates.
Click the Test Remote Connection option, enter the URL from which the OVF is to be imported.
Use HTTPS for the Hostname verification algorithm and click Connect.
Trust the certificate returned to import it into Cloud Director's Trusted Certificates.
Retry the Test Remote Connection and confirm that Cloud Director returns that the connection established successfully.
The vApp Template import of OVF from URL should succeed now that Cloud Director trusts the remote endpoint's certificate.