kubectl vsphere login to TKC fails with error "Creating wcp.Client for **************" "Does not appear to be a vCenter or ESXi address"
search cancel

kubectl vsphere login to TKC fails with error "Creating wcp.Client for **************" "Does not appear to be a vCenter or ESXi address"

book

Article ID: 396244

calendar_today

Updated On: 05-02-2025

Products

VMware vSphere Kubernetes Service

Issue/Introduction

kubectl login to TKC fails with:

 

> kubectl vsphere login --server= ************** --vsphere-username administrator@vpshere.local --tanzu-kubernetes-cluster-namespace <tkc namespace> --tanzu-kubernetes-cluster-name <tkc name> -v 10
DEBU[0000] Setting request timeout:
DEBU[0000] login called as: /usr/bin/kubectl-vsphere login --server=************** --vsphere-username administrator@vpshere.local --tanzu-kubernetes-cluster-namespace<tkc namespace> --tanzu-kubernetes-cluster-name <tkc name> -v 10
DEBU[0000] Creating wcp.Client for **************.
INFO[0000] Does not appear to be a vCenter or ESXi address.
There was an error when trying to connect to the server.\nPlease check the server URL and try again.FATA[0000] Error while connecting to host **************: internal server error.

 

 

Check if authproxy-client.crt is expired

root@************** [ ~ ]# openssl x509 -noout -dates -in /etc/vmware/wcp/tls/authproxy-client.crt
notBefore=May 2 12:42:33 2023 GMT
notAfter=May 1 12:42:33 2025 GMT

 

Note: Rotating the certificates via certmgr is not renewing authproxy-client.crt

see also:

Replace vSphere with Tanzu Supervisor Certificates (90627)

https://knowledge.broadcom.com/external/article?legacyId=90627

Environment

vSphere 8.0U2

Cause

Update-controller is unable to update the authproxy-client cert

Resolution

Verify issue:

Compare authproxy-client certs

kubectl -n kube-system get certificates wcp-authproxy-client-certificate

kubectl -n kube-system get secret wcp-authproxy-client-secret -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -text

openssl x509 -noout -text -in /etc/vmware/wcp/tls/authproxy-client.crt

 

If the certificates don't match:

 

a) Replace authproxy-client certificates on all 3 Supervisor control planes

kubectl -n kube-system get secret wcp-authproxy-client-secret -o jsonpath='{.data.tls\.crt}' | base64 -d > /etc/vmware/wcp/tls/authproxy-client.crt 
kubectl -n kube-system get secret wcp-authproxy-client-secret -o jsonpath='{.data.tls\.key}' | base64 -d > /etc/vmware/wcp/tls/authproxy-client.key
kubectl -n kube-system get secret wcp-authproxy-client-secret -o jsonpath='{.data.ca\.crt}' | base64 -d > /etc/vmware/wcp/tls/authproxy-client-ca.crt

kubectl -n vmware-system-pinniped get secret pinniped-supervisor-default-tls-certificate -o jsonpath='{.data.ca\.crt}' | base64 -d > /etc/vmware/wcp/tls/pinniped.crt

 

b) Restart kubectl-plugin-vsphere and wcp-authproxy pods on all 3 Supervisor control planes

crictl ps | grep kubectl-plugin-vsphere

430bf094421ab 65d9362b7bf13 6 days ago Running kubectl-plugin-vsphere 4 f30dc29a24f88 kubectl-plugin-vsphere-**************

root@************** [ ~ ]# crictl stop 430bf094421ab

 

crictl ps|grep auth

fc1825bb69163       63fcc96a4caf0       15 minutes ago      Running             wcp-authproxy                9                   878d8b5a56074       wcp-authproxy-**************

root@**************[ ~ ]# crictl stop fc1825bb69163

fc1825bb69163

root@************** [ ~ ]#

 

Verify that authproxy-client.crt is valid:

 

root@************** [ ~ ]# openssl x509 -noout -dates -in /etc/vmware/wcp/tls/authproxy-client.crt
notBefore=Aug 31 12:42:33 2024 GMT
notAfter=Aug 31 12:42:33 2026 GMT

 

Verify that kubectl login to TKC is working now

Additional Information

Permanent fix in 8.0U3

Powered by Wolken Software