Subscribing to content library fails with error The Remote library is not reachable.
search cancel

Subscribing to content library fails with error The Remote library is not reachable.

book

Article ID: 407820

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Content library subscription fails with error "The Remote library is not reachable"
  • CLS logs would have similar logging, 

Log location: /var/log/vmware/content-library/cls.log

YYYY-MM-DDTHH:MM:SS | ERROR    | ########-####-####-####-#########-## | cls-simple-activity-18    | VcspClientImpl                 | exception while getting vcsp endpoint https://<Content library url>/lib.json
org.bouncycastle.tls.TlsFatalAlertReceived: handshake_failure(40)
        at org.bouncycastle.tls.TlsProtocol.handleAlertMessage(TlsProtocol.java:245) ~[bctls-fips-1.0.18.jar:1.0.18]
        at org.bouncycastle.tls.TlsProtocol.processAlertQueue(TlsProtocol.java:740) ~[bctls-fips-1.0.18.jar:1.0.18]
        at org.bouncycastle.tls.TlsProtocol.processRecord(TlsProtocol.java:563) ~[bctls-fips-1.0.18.jar:1.0.18]

 

  • To check details of the handshake and chosen cipher suiterun following cmd from vCenter.

openssl s_client -connect <Content-library-url>:443 -tls1_2

SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-SHA
    Session-ID: ############################################
    Session-ID-ctx:

    • From above output we can confirm that content library supports this "ECDHE-RSA-AES128-SHA" cipher suite.

  • Run the following command to see what ciphers and TLS versions are currently enabled on vCenter Server.

    SSH to vCenter and run following cmd, compare the output to validate if cipher supported by Content library is enabled on vCenter.

    /usr/lib/vmware-vsr/bin/ssl_scanner --host localhost:443 | less

    endpoint: localhost:443
    tls_protocols:
      - version: tlsv1_2
        ciphers:
          accepted:
            - ECDHE-RSA-AES256-GCM-SHA384
            - ECDHE-RSA-AES128-GCM-SHA256

Environment

vCenter Server 8.x

Cause

The vCenter Server was set to use the "NIST_2024" TLS profile, which disables the "ECDHE‑RSA‑AES128‑SHA" cipher suite. As a result, the TLS handshake failed because no common cipher suite could be negotiated. 

Resolution

To enable "ECDHE‑RSA‑AES128‑SHA" cipher suite on vCenter change the TLS profile to "COMPATIBLE"

Note: Changing TLS profile would restart vCenter services, kindly schedule down time and take backup/offline snapshot of vCenter before proceeding further.

  • To view current profile on vCenter Server run this cmd. 

    • SSH to vCenter server and run,  
      cat var/lib/applmgmt/tls_settings.yaml
      mode: NIST_2024
      status: PENDING

  • To change the TLS profile from “NIST_2024” to “COMPATIBLE”, please do the following.

    • Log in to the vCenter Server system with the vSphere Client.
    • From the Menu, select Developer Center.


    • Click API Explorer.
    • From the Select API drop-down, select appliance.


    • Scroll down and expand “tls/profiles/global/”
    • Expand the PUT option and use this value: { "profile": "COMPATIBLE" } Click the "Execute" button.
    • You can confirm the change was successful by executing,

      The “tls/profiles/global/” GET command. If the value has changed properly, you should see the profile value as “COMPATIBLE”.

      OR

      SSH to vCenter and run 
    • cat var/lib/applmgmt/tls_settings.yaml
      mode: COMPATIBLE
      status: PENDING

Additional Information

Powered by Wolken Software