VIC appliance UI is slow and does not show Harbor Registry when using Custom Certificates
Article ID: 342409
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
Symptoms:
- Opening any page in the VIC UI from the browser is very slow (30 seconds) to fully load registry information.
- After registry information is loaded, it does not show all the registries.
- If viewing the network connections using browser developer tools, the REST API will timeout to hbr-api similar to:
Request URL: https://192.168.1.4:8282/hbr-api/systeminfo
Request method: GET
Remote address: 192.168.1.4:8282
Status code: 500 Internal Server Error
Request URL: https://192.168.1.4:8282/hbr-api/policies/replication
Request method: GET
Remote address: 192.168.1.4:8282
Status code: 500 Internal Server Error
Environment
VMware vSphere Integrated Containers 1.x
VMware vSphere Integrated Containers 1.0.x
VMware vSphere Integrated Containers 1.0.x
Cause
This issue occurs if the Harbor service is not running. This results in the web page sections that normally have information about the registry to load slowly. When you are using signed certificate in the VIC OVA deployment, this issue may occur if the ca.crt file fails to get created.
Resolution
This is a known issue affecting vSphere Integrated Containers 1.2.
Currently, there is no resolution.
Workaround:
To work around this issue:
- Validate if Harbor is impacted.
- SSH to the VIC Appliance.
- Shut down the vSphere Integrated Containers appliance by selecting Shut Down Guest OS.
- SSH to the VIC Appliance.
Note: Do not select Power Off.
- Right-click the new vSphere Integrated Containers appliance, and select Edit Settings.
- Click vApp Options to modify the settings that you provided when you used the OVA installer to deploy the appliance.
- In Appliance Security, update the password for the appliance root account, enable or disable SSH log in.
- Click OK to close the Edit Settings window.
- Power on the vSphere Integrated Containers appliance.
- Use preferred SSH client to connect under the user root.
- Check if the harbor container exist by running this command:
docker ps -a
You see output similar to:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
340f83d7d25b vmware/admiral:ova "/entrypoint.sh" 19 hours ago Up 19 hours 0.0.0.0:8282->8282/tcp vic-admiral
You see output similar to:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
340f83d7d25b vmware/admiral:ova "/entrypoint.sh" 19 hours ago Up 19 hours 0.0.0.0:8282->8282/tcp vic-admiral
- Validate that harbor_startup.service fails to copy the ca.crt file by running this command:
journalctl -u harbor_startup.service
You see output similar to:
vicappliance.viclab.local systemd[1]: Starting Harbor Startup Configuration…
vicappliance.viclab.local bash[1040]: cp: cannot stat '/data/admiral/cert/ca.crt': No such file or directory
vicappliance.viclab.local systemd[1]: harbor_startup.service: Control process exited, code=exited status=1
### lines omitted for brevity ###
You see output similar to:
vicappliance.viclab.local systemd[1]: Starting Harbor Startup Configuration…
vicappliance.viclab.local bash[1040]: cp: cannot stat '/data/admiral/cert/ca.crt': No such file or directory
vicappliance.viclab.local systemd[1]: harbor_startup.service: Control process exited, code=exited status=1
### lines omitted for brevity ###
- Obtain the root signing certificate authority certificate in x509 pem format. The security team responsible for the datacenter can provide this.
- Typically the certificate would be provided as a chain during the OVA deployment. If this was done, then the root CA would be the last certificate in /data/admiral/cert/server.crt. Cat the file and if the chain was already provided, it will look similar to .
cat /data/admiral/cert/server.crt
You see output similar to:
You see output similar to:
-----BEGIN CERTIFICATE-----
MIIDYTCCAkmgAwIBAgIJAPPUd8W7LBp8MA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNV
### lines omitted for brevity ### --> Signed cert is always at the top
BAMMAkNBMRcwFQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkW
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
LjE2OC4xLjEwMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
### lines omitted for brevity ### --> Intermediate CA if one is in use.
AQoCggEBAMV93QescNy4Lke5EW8hw/qZwN0fzlXR/C/9radJLgFudVpqD3qmdf4m
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Y1WA45DLC1yUcFRRwslGdYvpNAV7BUhJPRa3bKLEnKtI02Ul0rEDj/1TKtSNJgUE
### lines omitted for brevity ### --> Root CA that needs to be copied.
IztqLMuI9GWxOIef6RqAEX7Xr+PGTVTFGLc8y6LqT455vWXwQ/bNu2jD39EmRmbU
iYpj4VE=
-----END CERTIFICATE-----
MIIDYTCCAkmgAwIBAgIJAPPUd8W7LBp8MA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNV
### lines omitted for brevity ### --> Signed cert is always at the top
BAMMAkNBMRcwFQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkW
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
LjE2OC4xLjEwMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
### lines omitted for brevity ### --> Intermediate CA if one is in use.
AQoCggEBAMV93QescNy4Lke5EW8hw/qZwN0fzlXR/C/9radJLgFudVpqD3qmdf4m
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Y1WA45DLC1yUcFRRwslGdYvpNAV7BUhJPRa3bKLEnKtI02Ul0rEDj/1TKtSNJgUE
### lines omitted for brevity ### --> Root CA that needs to be copied.
IztqLMuI9GWxOIef6RqAEX7Xr+PGTVTFGLc8y6LqT455vWXwQ/bNu2jD39EmRmbU
iYpj4VE=
-----END CERTIFICATE-----
- Copy the Root CA certificate including the header -----BEGIN CERTIFICATE----- and footer
-----END CERTIFICATE----- to a text ca.crt file in /tmp/.
- Copy the Root ca.crt file obtained from the security team or if the chain was provided in the OVA deployment wizard to /data/admiral/cert/ca.crt.
- Shutdown the VIC Appliance from the vSphere Web Client and then power on again.
- Wait few minutes for the configurations to complete the harbor_startup tasks before testing the UI.
Additional Information
To be alerted when this article is updated click the Subscribe to Article link in the Actions box.
Feedback
Yes
No
Powered by
