Deploy OVF fails with error: "Transfer failed: Server not trusted: Remote host closed connection during handshake."
Article ID: 344990
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
To help troubleshoot and resolve this OVF deployment error.
Symptoms:
When deploying OVF file you receive the below error:
"Transfer failed: Server not trusted: Remote host closed connection during handshake."
When looking in VPXD you see entries similar to the below:
020-07-11T15:20:09.070Z info vpxd[04524] [Originator@6876 sub=vpxLro opID=1e19####] [VpxLRO] -- BEGIN lro-1748199 -- session[528e54e4-####-####-####-bc4275a0631b]52422371-####-####-####-3b70d345f3e1 -- vim.HttpNfcLease.abort -- 528e54e4-8d32-8ef7-dae3-bc4275a0631b(52c7878f-####-####-####-5d15a9c07398)
2020-07-11T15:20:09.070Z info vpxd[04524] [Originator@6876 sub=MoHttpNfcLease opID=1e19####] [HttpNfcLeaseMo] Releasing HTTP-NFC ticket
2020-07-11T15:20:09.072Z info vpxd[04418] [Originator@6876 sub=vpxLro opID=33a375d7] [VpxLRO] -- FINISH lro-1748198
2020-07-11T15:20:09.073Z info vpxd[04524] [Originator@6876 sub=MoHttpNfcLease opID=1e19####] Task aborted
2020-07-11T15:20:09.073Z info vpxd[04524] [Originator@6876 sub=vpxLro opID=1e198132] [VpxLRO] -- FINISH lro-1748199
2020-07-11T15:20:09.070Z error vpxd[04445] [Originator@6876 sub=VAppImport opID=20cdf419-01] [ImportTaskMo] Caught exception while importing VM: N3Vim5Fault15OvfImportFailed9ExceptionE(Fault cause: vim.fault.OvfImportFailed
--> )
--> [context]zKq7AVECAAAAABjJ8wAUdnB4ZAAA4AArbGlidm1hY29yZS5zbwAAWCUbAP6dGAF0xfxsaWJ2aW0tdHlwZXMuc28AgfvyDwGBE94QAYE5bREBgXJyEQEC9a1VdnB4ZAAC+uRiAlHsYgLb7mICDtxxAr/pcQJmRHIAcW8jADpyIwCdVisD1HMAbGlicHRocmVhZC5zby4wAATdjg5saWJjLnNvLjYA[/context]
2020-07-11T15:20:09.074Z info vpxd[04445] [Originator@6876 sub=VAppImport opID=20cd####-01] [ImportTaskMo] Removing VM [vim.VirtualMachine:vm-####,<VM_NAME>] due to failed import
2020-07-11T15:20:09.977Z info vpxd[04445] [Originator@6876 sub=VAppImport opID=20cd####-01] [ImportTaskMo] Done cleaning up after failed import
2020-07-11T15:20:09.977Z info vpxd[04445] [Originator@6876 sub=vpxLro opID=20cd####-01] [VpxLRO] -- FINISH task-195878
2020-07-11T15:20:09.977Z info vpxd[04445] [Originator@6876 sub=Default opID=20cd####-01] [VpxLRO] -- ERROR task-195878 -- <VM_NAME> -- ResourcePool.ImportVAppLRO: vim.fault.OvfImportFailed:
--> Result:
--> (vim.fault.OvfImportFailed) {
--> faultCause = (vmodl.fault.SystemError) {
--> faultCause = (vmodl.MethodFault) null,
--> faultMessage = (vmodl.LocalizableMessage) [
--> (vmodl.LocalizableMessage) {
--> key = "com.vmware.ovfs.ovfs-main.ovfs.transfer_failed",
--> arg = (vmodl.KeyAnyValue) [
--> (vmodl.KeyAnyValue) {
--> key = "0",
--> value = "Server not trusted: Remote host closed connection during handshake"
--> }
--> ],
--> message = "Transfer failed: Server not trusted: Remote host closed connection during handshake."
--> }
--> ],
--> reason = ""
--> msg = "Transfer failed: Server not trusted: Remote host closed connection during handshake."
--> },
--> faultMessage = <unset>
--> msg = ""
--> }
--> Args:
-->
-- Releasing HTTP-NFC ticket --
Check rhtpproxy logs on the host you selected for OVF import.
2020-07-11T17:46:38.345Z warning rhttpproxy[2101716] [Originator@6876 sub=Default] SSL Handshake failed for stream <SSL(<io_obj p:0x00000027aa688550, h:20, <TCP 'xx.xx.xx.xx : 443'>, <TCP 'xx.xx.xx.xx : 54540'>>)>: N7Vmacore3Ssl12SSL
ExceptionE(SSL Exception: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher)
If you look in the /etc/vmware/rhttpproxy/config.xml file , you will find that Ciphers were added to the list. By default this field is not populated (allowing use of all supported ciphers).
This is the cipher list this particular CX was using:
current cipher list
<cipherList>!aNULL:ECDH+AES:!ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-CHAC</cipherList>
Symptoms:
When deploying OVF file you receive the below error:
"Transfer failed: Server not trusted: Remote host closed connection during handshake."
When looking in VPXD you see entries similar to the below:
020-07-11T15:20:09.070Z info vpxd[04524] [Originator@6876 sub=vpxLro opID=1e19####] [VpxLRO] -- BEGIN lro-1748199 -- session[528e54e4-####-####-####-bc4275a0631b]52422371-####-####-####-3b70d345f3e1 -- vim.HttpNfcLease.abort -- 528e54e4-8d32-8ef7-dae3-bc4275a0631b(52c7878f-####-####-####-5d15a9c07398)
2020-07-11T15:20:09.070Z info vpxd[04524] [Originator@6876 sub=MoHttpNfcLease opID=1e19####] [HttpNfcLeaseMo] Releasing HTTP-NFC ticket
2020-07-11T15:20:09.072Z info vpxd[04418] [Originator@6876 sub=vpxLro opID=33a375d7] [VpxLRO] -- FINISH lro-1748198
2020-07-11T15:20:09.073Z info vpxd[04524] [Originator@6876 sub=MoHttpNfcLease opID=1e19####] Task aborted
2020-07-11T15:20:09.073Z info vpxd[04524] [Originator@6876 sub=vpxLro opID=1e198132] [VpxLRO] -- FINISH lro-1748199
2020-07-11T15:20:09.070Z error vpxd[04445] [Originator@6876 sub=VAppImport opID=20cdf419-01] [ImportTaskMo] Caught exception while importing VM: N3Vim5Fault15OvfImportFailed9ExceptionE(Fault cause: vim.fault.OvfImportFailed
--> )
--> [context]zKq7AVECAAAAABjJ8wAUdnB4ZAAA4AArbGlidm1hY29yZS5zbwAAWCUbAP6dGAF0xfxsaWJ2aW0tdHlwZXMuc28AgfvyDwGBE94QAYE5bREBgXJyEQEC9a1VdnB4ZAAC+uRiAlHsYgLb7mICDtxxAr/pcQJmRHIAcW8jADpyIwCdVisD1HMAbGlicHRocmVhZC5zby4wAATdjg5saWJjLnNvLjYA[/context]
2020-07-11T15:20:09.074Z info vpxd[04445] [Originator@6876 sub=VAppImport opID=20cd####-01] [ImportTaskMo] Removing VM [vim.VirtualMachine:vm-####,<VM_NAME>] due to failed import
2020-07-11T15:20:09.977Z info vpxd[04445] [Originator@6876 sub=VAppImport opID=20cd####-01] [ImportTaskMo] Done cleaning up after failed import
2020-07-11T15:20:09.977Z info vpxd[04445] [Originator@6876 sub=vpxLro opID=20cd####-01] [VpxLRO] -- FINISH task-195878
2020-07-11T15:20:09.977Z info vpxd[04445] [Originator@6876 sub=Default opID=20cd####-01] [VpxLRO] -- ERROR task-195878 -- <VM_NAME> -- ResourcePool.ImportVAppLRO: vim.fault.OvfImportFailed:
--> Result:
--> (vim.fault.OvfImportFailed) {
--> faultCause = (vmodl.fault.SystemError) {
--> faultCause = (vmodl.MethodFault) null,
--> faultMessage = (vmodl.LocalizableMessage) [
--> (vmodl.LocalizableMessage) {
--> key = "com.vmware.ovfs.ovfs-main.ovfs.transfer_failed",
--> arg = (vmodl.KeyAnyValue) [
--> (vmodl.KeyAnyValue) {
--> key = "0",
--> value = "Server not trusted: Remote host closed connection during handshake"
--> }
--> ],
--> message = "Transfer failed: Server not trusted: Remote host closed connection during handshake."
--> }
--> ],
--> reason = ""
--> msg = "Transfer failed: Server not trusted: Remote host closed connection during handshake."
--> },
--> faultMessage = <unset>
--> msg = ""
--> }
--> Args:
-->
-- Releasing HTTP-NFC ticket --
Check rhtpproxy logs on the host you selected for OVF import.
2020-07-11T17:46:38.345Z warning rhttpproxy[2101716] [Originator@6876 sub=Default] SSL Handshake failed for stream <SSL(<io_obj p:0x00000027aa688550, h:20, <TCP 'xx.xx.xx.xx : 443'>, <TCP 'xx.xx.xx.xx : 54540'>>)>: N7Vmacore3Ssl12SSL
ExceptionE(SSL Exception: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher)
If you look in the /etc/vmware/rhttpproxy/config.xml file , you will find that Ciphers were added to the list. By default this field is not populated (allowing use of all supported ciphers).
This is the cipher list this particular CX was using:
current cipher list
<cipherList>!aNULL:ECDH+AES:!ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-CHAC</cipherList>
Environment
VMware vSphere ESXi
Cause
The cipher list on these ESXi hosts were modified to comply with the companies security practices.
Resolution
The list of approved cipher suites for TLSv1.2 will be updated in 6.7 P03
Workaround:
Use the default-config.xml file to temporarily restore the default ciphers on the host, similar to the below.
rename "config.xml" to "config.xml.bak" -- mv config.xml config.xml.bak
cp "default-config.xml" and rename to "config.xml" -- cp default_config.xml config.xml
restart rhttpproxy -- /etc/init.d/rhttpproxy restart
After the OVF deployment succeeds, follow the below steps to reverse the change:
remove config.xml -- rm config.xml
**Be extremely cautious when using the RM command, consider putting a # in the beginning in case enter is accidentally pressed before the command is complete.
rename config.xml.bak to config.xml -- mv config.xml.bak config.xml
restart rhttpproxy -- /etc/init.d/rhttpproxy restart
Workaround:
Use the default-config.xml file to temporarily restore the default ciphers on the host, similar to the below.
rename "config.xml" to "config.xml.bak" -- mv config.xml config.xml.bak
cp "default-config.xml" and rename to "config.xml" -- cp default_config.xml config.xml
restart rhttpproxy -- /etc/init.d/rhttpproxy restart
After the OVF deployment succeeds, follow the below steps to reverse the change:
remove config.xml -- rm config.xml
**Be extremely cautious when using the RM command, consider putting a # in the beginning in case enter is accidentally pressed before the command is complete.
rename config.xml.bak to config.xml -- mv config.xml.bak config.xml
restart rhttpproxy -- /etc/init.d/rhttpproxy restart
Additional Information
Impact/Risks:
No impact to running VM's.
No impact to running VM's.
Feedback
Yes
No
Powered by
