vracli vrli set fails with ProxyError
search cancel

vracli vrli set fails with ProxyError


Article ID: 326106


Updated On:


VMware Aria Suite


This article provides a workaround for configuring the vRLI integration.

  • Configuring logging integration to a VMware vRealize Log Insight server using vracli vrli set server_address crashes with the following error
    urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host=<server_address>, port=9543):
    Max retries exceeded with url: /api/v1/auth-providers (Caused by ProxyError('Cannot connect to proxy.', timeout('_ssl.c:1059: The handshake operation timed out')))


VMware vRealize Automation 8.10.x
VMware vRealize Automation 8.8.x
VMware vRealize Automation 8.9.x


This problem occurs when the vRA environment is behind an upstream proxy that does not forward traffic to the Log Insight server, even if the LI server name matches the patterns in the proxy-exclude list.
Due to a known issue in one of the Python libraries used, the proxy-exclude is not taken into consideration when the log integration is being configured, resulting in a ProxyError.


This issue is resolved in VMware vRealize Automation 8.10.1 and above.

  1. Validate no vrli config is present with vracli vrli and if any config is present, delete it with vracli vrli unset
  2. Check the certificate by running vracli certificate vrli --show.
    1. If none are present, set it manually with vracli certificate vrli --set cert_file --sha256 sha_256 where cert_file is the certificate file saved somewhere on the file system and sha_256 is the sha256 thumbprint of that certificate.
Note: If you do not have the certificate available, obtain it by running the vracli vrli set vrli_server_fqdn command and then answer no upon being asked if you trust this certificate. The cert string will be displayed. Copy it and save it to a file on the vRA file system to reference in the command above.
Note: If you do not know the sha256, running vracli certificate vrli --set cert_file without the --sha256 arg will output the thumbprint.
  1. Force the vrli config without verification by running
    vracli vrli set vrli_server_fqdn --force
  2. Ensure the config has been saved and the certificate info has been applied. Run vracli vrli and check that the caFile field has the correct certificate info, as applied in Step #2.
  3. Wait 2 minutes for the vrli config to be applied and check the vRLI server that the logs are coming through.

Additional Information

This issue applies to versions 8.8.2 through 8.10.0.