Unable to run vCenter API Explorer commands with error "UNAUTHENTICATED"
search cancel

Unable to run vCenter API Explorer commands with error "UNAUTHENTICATED"

book

Article ID: 394658

calendar_today

Updated On:

Products

VMware vCenter Server 8.0

Issue/Introduction

In vCenter 8.0 U3 API Explorer, when trying to execute GET or PUT commands to manage TLS profiles, pop-up box appears requesting credentials be entered, and even when using local SSO admin credentials, receiving error of "UNAUTHENTICATED". Not providing proper output and changes do not complete.

 

In logs you may see the following:

 

/var/log/vmware/envoy/envoy-access-#.log

  • API command runs and fails.

YYYY-MM-DDTHH:MM:SS.119Z GET /apigw/rest/api/appliance/tls/profiles/global 401 via_upstream - 0 131 zstd 833 832 0 #.#.#.#:62997 HTTP/2 TLSv1.2 #.#.#.#:443 127.0.0.1:34814 HTTP/1.1 - 127.0.0.1:5090

 

/var/log/vmware/applmgmt/applmgmt.log

  • Stating cause of failed API being one or more certificates cannot be verified.

 

YYYY-MM-DDTHH:MM:SS PM CET [9446]ERROR:vmware.appliance.vapi.auth:Could not parse HOK Token Traceback (most recent call last):

File "/usr/lib/applmgmt/lib/extensions/py/vmware/appliance/extensions/authentication/authentication_sso.py", line 507, in validate self.validate_certificate()

File "/usr/lib/applmgmt/lib/extensions/py/vmware/appliance/extensions/authentication/authentication_sso.py", line 709, in validate_certificateraise AuthenticationError(vmware.appliance.extensions.authentication.authentication_sso.AuthenticationError: One or more certificates cannot be verified.

Environment

vCenter Server 8.0 U3

Cause

It is possible the STS cert was in place from legacy builds that are formatted in a way that keeps certain functions/features from working properly in VC 8.0 U3. We have seen this happen when vCenter servers have been upgraded from 6.x over time to 7.x, and then 8.x. Some issues become present within 7.x as well.

Note: There is currently no way for us to detect/compare the STS cert for these types of issues.

Resolution

IMPORTANT! Snapshot the vCenter before doing any changes. See "Snapshot Best practices for vCenter Server Virtual Machines" and "VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice" for more information.Take proper snapshot and/or backups of the VCSA VM.

    • If in linked mode (ELM), take offline snapshots for all linked VCSA VMs
    • The STS cert only needs to be replaced on one VCSA, as it will be replicated to all other linked VCSAs



The below steps will require downtime for the VCSA(s); vCenter services will be restarted. Please make sure to schedule a maintenance window, if necessary to perform these steps.

  • Renew ("Refresh") the STS certificate using either the vSphere client UI or use the vCert tool.

  • Execute the API Explorer GET/PUT commands to confirm they are now working.
Powered by Wolken Software