Attempting to install Rubrik IO filter may fail with error "A specified parameter was not correct: vibUrl Certificate is not trusted for vibUrl"
Article ID: 409557
Updated On:
Products
Issue/Introduction
- Installing Rubrik IOFilter may return error "
A specified parameter was not correct: vibUrl Certificate is not trusted for vibUrl: https://<Rubrik Server>/connector/rubiofilter-bundle-1.1.22-1OEM.800.1.0.20613240.zip" - /var/log/vmware/eam/eam.log:
YYYY-MM-DDTHH:MM:SS | INFO | vlsi | RouteProvider.java | 226 | [AgencyBase->validateAgentConfigs:730edb8638750751] Certificate verification will not be made. Obtaining the certificate and the thumbprint from the provided URL https://<Rubrik Server FQDN or IP>/connector/rubiofilter-bundle-1.1.22-1OEM.800.1.0.20613240.zip using Envoy.YYYY-MM-DDTHH:MM:SS | INFO | vlsi | RouteProvider.java | 325 | [AgencyBase->validateAgentConfigs:<>] https://<Rubrik Server FQDN or IP>/connector/rubiofilter-bundle-1.1.22-1OEM.800.1.0.20613240.zip conversion to use dynamic remote connection route completed. Result: Route(routedUrl:http://localhost:1080/external-tp/http1/<Rubrik Server FQDN or IP>/443/<Rubrik Server certificate Thumbprint>/connector/rubiofilter-bundle-1.1.22-1OEM.800.1.0.20613240.zip, url:https://<Rubrik Server FQDN or IP>/connector/rubiofilter-bundle-1.1.22-1OEM.800.1.0.20613240.zip, pemCertificate:-----BEGIN CERTIFICATE-----YYYY-MM-DDTHH:MM:SS | INFO | vlsi | OpId.java | 37 | [URLChecker->checkURL:<>] created from [AgencyBase->validateAgentConfigs:<>]YYYY-MM-DDTHH:MM:SS | INFO | vlsi | URLChecker.java | 132 | [URLChecker->checkURL:<>] Perfoming checks to URL( http://localhost:1080/external-tp/http1/<Rubrik Server FQDN or IP>/443/<connector ID>/connector/rubiofilter-bundle-1.1.22-1OEM.800.1.0.20613240.zip) for accessibility
YYYY-MM-DDTHH:MM:SS | INFO | vlsi | RoutedHttpOpExecutor.java | 128 | [URLChecker->checkURL:<>] Checking http://localhost:1080/external-tp/http1/<Rubrik Server FQDN or IP>/443/<Rubrik Server certificate Thumbprint>/connector/rubiofilter-bundle-1.1.22-1OEM.800.1.0.20613240.zip for accessibility.YYYY-MM-DDTHH:MM:SS | ERROR | vlsi | EsxAgentManagerImpl.java | 547 | Exception:com.vmware.vim.binding.eam.fault.InvalidUrl: nullat com.vmware.eam.agency.impl.LegacyAgencyBase.checkURL(LegacyAgencyBase.java:1120) ~[eam-server.jar:?]at com.vmware.eam.agency.impl.LegacyAgencyBase.validateAgentConfigs(LegacyAgencyBase.java:1102) ~[eam-server.jar:?]at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_422]at java.lang.Thread.run(Thread.java:750) [?:1.8.0_422]
- /var/log/vmware/envoy-sidecar/envoy-access.log
YYYY-MM-DDTHH:MM:SS info envoy[2525] [Originator@6876 sub=Default] YYYY-MM-DDTHH:MM:SS GET /external-tp/http1/<Rubrik Server FQDN or IP>/443/<>/connector/rubiofilter-bundle-1.1.22-1OEM.800.1.0.20613240.zip 526 upstream_reset_before_response_started{remote_connection_failure,TLS_error:|268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED} UF 0 1310 - 14 - - 127.0.0.1:51624 HTTP/1.1 - 127.0.0.1:1080 - - - ##.##.##.##:443 - -YYYY-MM-DDTHH:MM:SS info envoy[2525] [Originator@6876 sub=Default] YYYY-MM-DDTHH:MM:SS HEAD /external-tp/http1/<Rubrik Server FQDN or IP>/443/<Rubrik Server certificate Thumbprint>/connector/rubiofilter-bundle-1.1.22-1OEM.800.1.0.20613240.zip404 upstream_reset_after_response_started{remote_reset} UR 0 0 - 53 51 - 127.0.0.1:51644 HTTP/1.1 - 127.0.0.1:1080 ##.##.##.##:37226 HTTP/2 TLSv1.2 ##.##.##.##:443 - -
- /var/log/vmware/vpxd/vpxd.log:
YYYY-MM-DDTHH:MM:SS error vpxd[PID] [Originator@6876 sub=Default opID=<>] [VpxLRO] -- ERROR task-344054 -- ########-####-####-####-############(########-####-####-####-############) -- IoFilterManager -- vim.IoFilterManager.installIoFilter: :vmodl.fault.InvalidArgument> Result:--> (vmodl.fault.InvalidArgument) {--> faultCause = (vmodl.MethodFault) null,--> faultMessage = <unset>,--> invalidProperty = "vibUrl"--> msg = ""--> }--> Args:-->--> Arg vibUrl:--> "https://<Rubrik Server FQDN or IP>/connector/rubiofilter-bundle-1.1.22-1OEM.800.1.0.20613240.zip"--> Arg compRes:--> 'vim.ClusterComputeResource:domain-<ID>'--> Arg vibSslTrust:
Cause
In order to install Rubrik filter, vCenter Server Appliance (VCSA) performs a HEAD request to Rubrik Appliance. The HEAD request over HTTP2 fails from the server end resulting in the error.
Resolution
As a workaround, proceed to disable http2 request for Rubrik server communication
- Identify the Rubrik Server hostname/IP
- Log in to VCSA using ssh and execute the below command to identify the certificate thumbprint
zgrep "<Rubrik server hostname/IP>" /var/log/vmware/envoy-sidecar/envoy-access* | grep HEAD
Sample Output:
YYYY-MM-DDTHH:MM:SS HEAD /external-tp/http1/<Rubrik server hostname/IP>/443/<Rubrik Server certificate Thumbprint>/connector/rubiofilter-bundle-1.1.22-1OEM.800.1.0.20613240.zip 404 upstream_reset_after_response_started{remote_reset} UR 0 0 - 53 51 - 127.0.0.1:51644 HTTP/1.1 - 127.0.0.1:1080 ##.##.##.##:37226 HTTP/2 TLSv1.2 ##.##.##.##:443 - -
OR
Alternate command to capture the thumbprint via ssh session on VCSA
openssl s_client -connect <Rubrik server hostname/IP>:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -sha1 -noout -in /dev/stdin | cut -d '=' -f2 | tr -d ':'
- Capture the
Rubrik Server certificate Thumbprintfrom the output in Step 2 - Download the attached json file and modify the values for <
Rubrik server hostname/IP> (step 1) and <Rubrik Server certificate Thumbprint>fromStep 2
Sample:
21 "prefix": "/external-tp/http1/<Rubrik server hostname/IP>/443/<Rubrik Server certificate Thumbprint>/"
43 "address": "<Rubrik server hostname/IP>",
53 "<Rubrik Server certificate Thumbprint>"
- Upload the updated json file to VCSA under the below location using SCP. Refer to How to upload or download files to or from vCenter and ESXi hosts
/etc/vmware-rhttpproxy/endpoints.conf.d/
- Restart the rhttpproxy service
kill -SIGHUP `pidof rhttpproxy`
- Proceed to register Rubrik IOfilter by accessing the Rubrik Management Interface
Attachments
Feedback
