Unable to deploy and extract OVF Templates in vCenter
Article ID: 389489
Updated On: 03-31-2025
Products
Issue/Introduction
- When attempting to deploy an OVF from vCenter, the following vCenter UI error appears:
Operation failed! Failed to deploy OVF package. ThrowableProxy.cause A general system error occurred: Provider method implementation threw unexpected exception: com.vmware.vapi.std.errors.Unauthenticated: Unauthenticated (com.vmware.vapi.std.errors.unauthenticated) => { messages = [LocalizableMessage (com.vmware.vapi.std.localizable_message) => { id = vapi.security.authentication.invalid, defaultMessage = Unable to authenticate user, args = [], params = <null>, localized = <null> }], data = <null>, errorType = UNAUTHENTICATED, challenge = <null> } - In vCenter - /var/log/vmware/content-library/cls.log
| DEBUG | 97c22833-7d91-4199-b27d-e662ad4b8964 | tomcat-http-13 | ApiMethodSkeleton | Method com.vmware.transfer.transfer_service.create_session threw an exceptioncom.google.common.util.concurrent.UncheckedExecutionException: com.vmware.vapi.std.errors.Unauthenticated: Unauthenticated (com.vmware.vapi.std.errors.unauthenticated) => {messages = [LocalizableMessage (com.vmware.vapi.std.localizable_message) => {id = vapi.security.authentication.invalid,defaultMessage = Unable to authenticate user,args = [],params = <null>,localized = <null>}],data = <null>,errorType = UNAUTHENTICATED,challenge = <null>}at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2086) ~[guava-32.1.0-jre.jar:?]at com.google.common.cache.LocalCache.get(LocalCache.java:4012) ~[guava-32.1.0-jre.jar:?]at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:4035) ~[guava-32.1.0-jre.jar:?]at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:5011) ~[guava-32.1.0-jre.jar:?]at com.google.common.cache.LocalCache$LocalLoadingCache.getUnchecked(LocalCache.java:5018) ~[guava-32.1.0-jre.jar:?]at com.vmware.vcde.common.services.proxy.CachedProxyService.get(CachedProxyService.java:45) ~[vsphere-cs-lib-1.0.0.jar:?]at com.vmware.vcde.common.services.proxy.ApplianceProxySettings.getProxy(ApplianceProxySettings.java:104) ~[vsphere-cs-lib-1.0.0.jar:?]at com.vmware.transfer.impl.HttpClientEndpointImpl.initInt(HttpClientEndpointImpl.java:102) ~[ts-main-1.0.0.jar:?]at com.vmware.transfer.impl.HttpClientEndpointImpl.<init>(HttpClientEndpointImpl.java:81) ~[ts-main-1.0.0.jar:?]at com.vmware.transfer.impl.TransferEndpointFactory.createInt(TransferEndpointFactory.java:50) ~[ts-main-1.0.0.jar:?]at com.vmware.transfer.impl.TransferEndpointFactory.createSource(TransferEndpointFactory.java:32) ~[ts-main-1.0.0.jar:?]at com.vmware.transfer.impl.TransferItemImpl.initFromItem(TransferItemImpl.java:157) ~[ts-main-1.0.0.jar:?]at com.vmware.transfer.impl.TransferItemImpl.fromItem(TransferItemImpl.java:121) ~[ts-main-1.0.0.jar:?]at com.vmware.transfer.impl.TransferSessionImpl.addItems(TransferSessionImpl.java:186) ~[ts-main-1.0.0.jar:?]at com.vmware.transfer.impl.TransferSessionImpl.initByCreate(TransferSessionImpl.java:77) ~[ts-main-1.0.0.jar:?]at com.vmware.transfer.impl.TransferServiceImpl.createSession(TransferServiceImpl.java:266) ~[ts-main-1.0.0.jar:?]| WARN | vAPI-I/O dispatcher-1 | SessionApiSecurityUtil | Failed to create child session with session manager com.vmware.cis.session for session XXXX@XXXX.XXX (internal id 73ab7d69-55c5-4e9e-935e-fbd0f5e9e8ef, token 8775b...).com.vmware.vapi.endpoint.vapi.ApiException: nullat com.vmware.vapi.endpoint.auth.impl.SessionApiSecurityUtil.onLoginResult(SessionApiSecurityUtil.java:248) [vapi-endpoint-1.0.0.jar:?]at com.vmware.vapi.endpoint.auth.impl.SessionApiSecurityUtil.access$500(SessionApiSecurityUtil.java:43) [vapi-endpoint-1.0.0.jar:?]at com.vmware.vapi.endpoint.auth.impl.SessionApiSecurityUtil$2.setResult(SessionApiSecurityUtil.java:230) [vapi-endpoint-1.0.0.jar:?]at com.vmware.vapi.endpoint.auth.impl.SessionApiSecurityUtil$2.setResult(SessionApiSecurityUtil.java:220) [vapi-endpoint-1.0.0.jar:?]at com.vmware.vapi.endpoint.session.SessionFacade$1.setResult(SessionFacade.java:112) [vapi-endpoint-1.0.0.jar:?]at com.vmware.vapi.endpoint.session.SessionFacade$1.setResult(SessionFacade.java:94) [vapi-endpoint-1.0.0.jar:?]at com.vmware.vapi.internal.protocol.client.msg.json.JsonApiProvider$ResponseCallbackImpl.setResult(JsonApiProvider.java:438) [vapi-runtime.jar:?]at com.vmware.vapi.internal.protocol.client.msg.json.JsonApiProvider$ResponseCallbackImpl.received(JsonApiProvider.java:395) [vapi-runtime.jar:?]at com.vmware.vapi.internal.protocol.client.msg.json.JsonApiProvider$1.received(JsonApiProvider.java:482) [vapi-runtime.jar:?]at com.vmware.vapi.endpoint.api.ResponseSizeLimitingClient$ResponseSizeLimitingCallback.received(ResponseSizeLimitingClient.java:93) [vapi-endpoint-1.0.0.jar:?] - In vCenter - /var/log/vmware/applmgmt/applmgmt.log
[19666]DEBUG:vmware.appliance.extensions.authentication.authentication_sso:Downloading trusted certs from url : http://localhost:7080/idm/tenant/vsphere.local/certificates?scope=TENANT[19666]ERROR:vmware.appliance.extensions.authentication.authentication_sso:Unhandled exception during SAML token validationTraceback (most recent call last):File "/usr/lib/applmgmt/lib/extensions/py/vmware/appliance/extensions/authentication/authentication_sso.py", line 507, in validateself.validate_certificate()File "/usr/lib/applmgmt/lib/extensions/py/vmware/appliance/extensions/authentication/authentication_sso.py", line 674, in validate_certificateself.add_x509_pem_header(c)) for c in certsFromToken]File "/usr/lib/python3.7/site-packages/OpenSSL/crypto.py", line 1825, in load_certificate_raise_current_error()File "/usr/lib/python3.7/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queueraise exception_type(errors)OpenSSL.crypto.Error: []
[19666]ERROR:vmware.appliance.vapi.auth:Could not parse HOK TokenTraceback (most recent call last):File "/usr/lib/applmgmt/lib/extensions/py/vmware/appliance/extensions/authentication/authentication_sso.py", line 507, in validateself.validate_certificate()File "/usr/lib/applmgmt/lib/extensions/py/vmware/appliance/extensions/authentication/authentication_sso.py", line 674, in validate_certificateself.add_x509_pem_header(c)) for c in certsFromToken]File "/usr/lib/python3.7/site-packages/OpenSSL/crypto.py", line 1825, in load_certificate_raise_current_error()File "/usr/lib/python3.7/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queueraise exception_type(errors)
OpenSSL.crypto.Error: []
Environment
vCenter Server 7.x
Cause
The issue is caused by the certificate chain used to sign the STS certificate being a 4-cert or more chain.
Resolution
- Log in to vCenter as the root user and create a backup of the file
cp /usr/lib/applmgmt/lib/extensions/py/vmware/appliance/extensions/authentication/authentication_sso.py /usr/lib/applmgmt/lib/extensions/py/vmware/appliance/extensions/authentication/authentication_sso.py.bk - Open the file for editing
vi /usr/lib/applmgmt/lib/extensions/py/vmware/appliance/extensions/authentication/authentication_sso.py - Navigate to line number 671 and locate the following code:
# Create chain of certificates to be verified from SAML token. chain = [ crypto.load_certificate( crypto.FILETYPE_PEM, self.add_x509_pem_header(c)) for c in certsFromToken ] - Replace the above code with the following. Note: Beware of indentations.
# Create chain of certificates to be verified from SAML token. chain = [] for c in certsFromToken: try: cert = crypto.load_certificate( crypto.FILETYPE_PEM, self.add_x509_pem_header(c) ) chain.append(cert) except crypto.Error as e: if str(e) == "[]": logger.warning("Load of certificate %s failed, skipping it." % str(c)) else: raise e - Restart the appliance management service:
service-control --restart applmgmt
Additional Information
This issue has been fixed in vCenter Server 8.x and will be addressed in a future 7.x version.
Feedback
