Service Mesh Creation fails with "javax.net.ssl.SSLHandshakeException: null"
Article ID: 389034
Updated On:
Products
Issue/Introduction
- While deploying the Service Mesh, the following error is displayed on the HCX Manager UI:
- HCX is successfully registered with vCenter and SSO from the HCX Manager admin page (port 9443).
- Testing the connection from HCX to ESXi via port 443 using the command below shows success.
curl -k -v https://<ESXi-IP>:443 echo | openssl s_client -connect <ESXi-IP>:443 -
The following errors are observed in the HCX Manager
/common/logs/admin/app.log :<timestamps> UTC [OvfUploadService_SvcThread-1, Ent: HybridityAdmin, , TxId: TxId: #####-####-####-####-############] INFO c.v.v.h.s.ovfupload.OvfUploadJob- Uploading file file:/common/appliances/vcc/4.11.0.0/VCCGateway-4.11.0.0-24449347-disk1.vmdk to https://<ESXi-IP/FQDN>/nfc/#####-####-####-####-############/disk-0.vmdk <timestamps> UTC [OvfUploadService_SvcThread-1, Ent: HybridityAdmin, , TxId: TxId: #####-####-####-####-############] ERROR c.v.v.h.s.ovfupload.OvfUploadJob- Error in uploading Ovf javax.net.ssl.SSLHandshakeException: null <timestamps> UTC [OvfUploadService_SvcThread-1, Ent: HybridityAdmin, , TxId: TxId: #####-####-####-####-############] WARN c.v.v.h.s.ovfupload.OvfUploadJob- Error of unknown type : javax.net.ssl.SSLHandshakeException <timestamps> UTC [InterconnectService_SvcThread-1, IX:########-####-####-####-############, J:76f521d4, , TxId: TxId: #####-####-####-####-############] ERROR c.v.v.h.s.i.DeployAppliance- OvfUpload failed, errorCode:null. stacktrace:null, errorMessage:null. Cause: null <timestamps> UTC [InterconnectService_SvcThread-1, IX:########-####-####-####-############, J:76f521d4, , TxId: TxId: #####-####-####-####-############] ERROR c.v.v.h.s.i.DeployAppliance- DeployAppliance failed in state CHECK_UPLOAD_OVF. Error: Interconnect Service Workflow OvfUpload failed. Error: null. Cause: null. java.lang.RuntimeException: Interconnect Service Workflow OvfUpload failed. Error: null. Cause: null -
The following logs, located in
/var/run/log/envoy.log, can be found on the ESXi host where the OVF upload was attempted. The ESXi host IP/FQDN can be obtained from the HCXapp.logmentioned above.<timestamps> In(166) envoy[2103006]: "<timestamps> info envoy[2103361] [Originator@6876 sub=connection] [Tags: "ConnectionId":"53939"] remote address:<HCX-IP>:34384,TLS_error:|268436502:SSL routines:OPENSSL_internal:SSLV3_ALERT_CERTIFICATE_UNKNOWN" <timestamps> In(166) envoy[2103006]: "<timestamps> info envoy[2103359] [Originator@6876 sub=connection] [Tags: "ConnectionId":"53970"] remote address:127.0.0.1:62941,TLS_error:|33554536:system library:OPENSSL_internal:Connection reset by peer" -
Validate the ESXi certificate thumbprint and match it with the thumbprint stored in the vCenter Database.
-
To obtain the SSL thumbprint of the ESXi host from the vCenter Database, SSH into vCenter and run the following command:
/opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -c "select id,dns_name,ip_address,host_ssl_thumbprint,expected_ssl_thumbprint from vpx_host;" -
To obtain the thumbprint of the SSL certificate installed on the ESXi host, SSH into the ESXi host and run the following command:
openssl x509 -in /etc/vmware/ssl/rui.crt -text -fingerprint | grep -i finger
Environment
HCX
vCenter Server
ESXi
Cause
The issue was caused by a thumbprint mismatch between the host's current certificate and the thumbprint stored in the vCenter Database.
Resolution
Disconnect all the ESXi hosts from the vCenter UI and reconnect them to update the vCenter Database with the current thumbprint.
OR
Restart the vpxa and hostd services on the ESXi host via SSH by executing the following commands:
/etc/init.d/vpxa restart/etc/init.d/hostd restart
After performing either of these steps, the OVF upload to the ESXi should work, and you should be able to successfully create a HCX Service Mesh.
Additional Information
Feedback
