OVA upload fails in management vCenter due to expired intermediate certificate
Article ID: 410542
Updated On:
Products
VMware vCenter Server
Issue/Introduction
While uploading the upgrade OVA to the management vCenter, the process fails with certificate-related errors.
vCenter GUI:
vpxd.all
####-##-##T##:##:##.#### error vpxd[#####] [Originator@####sub=Default opID=#######-##] [VpxLRO] -- ERROR task-########-- -- photon-3-kube-v#.##.#-vmware.1-###.1-#######-############-- ResourcePool.ImportVAppLRO: :vim.fault.OvfImport
Failed
--> Result:
--> (vim.fault.OvfImportFailed) {
--> faultCause = (vmodl.fault.SystemError) {
--> faultCause = (vmodl.MethodFault) null,
--> faultMessage = (vmodl.LocalizableMessage) [
--> (vmodl.LocalizableMessage) {
--> key = "vapi.bindings.method.impl.unexpected",
--> arg = (vmodl.KeyAnyValue) [
--> (vmodl.KeyAnyValue) {
--> key = "0",
--> value = "com.vmware.vapi.std.errors.Unauthorized: Unauthorized (com.vmware.vapi.std.errors.unauthorized) => {
--> messages = [LocalizableMessage (com.vmware.vapi.std.localizable_message) => {
--> id = vapi.security.authorization.invalid,
--> defaultMessage = Unable to authorize user,
--> args = [],
--> params = <null>,
--> localized = <null>
--> }],
--> data = <null>,
--> errorType = UNAUTHORIZED
--> }"
--> }
--> ],
--> message = "Provider method implementation threw unexpected exception: com.vmware.vapi.std.errors.Unauthorized: Unauthorized (com.vmware.vapi.std.errors.unauthorized) => {
--> messages = [LocalizableMessage (com.vmware.vapi.std.localizable_message) => {
--> id = vapi.security.authorization.invalid,
--> defaultMessage = Unable to authorize user,
--> args = [],
--> params = <null>,
--> localized = <null>
--> }],
--> data = <null>,
--> errorType = UNAUTHORIZED
--> }"
--> }
--> ],
--> reason = ""
--> msg = "Provider method implementation threw unexpected exception: com.vmware.vapi.std.errors.Unauthorized: Unauthorized (com.vmware.vapi.std.errors.unauthorized) => {
--> messages = [LocalizableMessage (com.vmware.vapi.std.localizable_message) => {
--> id = vapi.security.authorization.invalid,
--> defaultMessage = Unable to authorize user,
--> args = [],
--> params = <null>,
--> localized = <null>
--> }],
--> data = <null>,
--> errorType = UNAUTHORIZED
--> }"
--> },
--> faultMessage = <unset>
--> msg = ""
--> }
--> Args:
-->
####-##-##T##:##:##.#### info vpxd[#####] [Originator@#### sub=vmomi.soapStub[####] opID=#######-##] SOAP request returned HTTP failure; <<io_obj p:#x######################, h:69, <TCP '###.#.#.# : #####'>, <TCP '###.#.#.# : #####'>>, /vsm/ovfConsumer/>, method: unregisterEntities; code: 500(Internal Server Error); fault: (vmodl.fault.SecurityError) {
--> faultCause = (vmodl.MethodFault) null,
--> faultMessage = <unset>
--> msg = "Received SOAP response fault from [<<io_obj p:#x######################, h:69, <TCP '###.#.#.# : #####'>, <TCP '###.#.#.# : #####'>>, /vsm/ovfConsumer/>]: unregisterEntities
--> Expired token in request"
--> }
####-##-##T##:##:##.#### info vpxd[#####] [Originator@#### sub=OvfConsumers opID=######-##] Failed to invoke OVF stub adapter, will re-try after login; N5Vmomi5Fault13SecurityError9ExceptionE(Fault cause: vmodl.fault.SecurityError
--> )
--> [context################################################################################################################################+#############+######################+######################################/###################=[/context]
####-##-##T##:##:##.#### info vpxd[#####] [Originator@#### sub=vpxLro opID=######-##] [VpxLRO] -- FINISH lro-########
applmgmt.log
####-##-##T##:##:## ## ### [####]DEBUG:root:Validated user privileges in localstore or SSO
####-##-##T##:##:## ## ### [####]DEBUG:root:Validated user privileges in localstore or SSO
####-##-##T##:##:## ## ### [####]DEBUG:root:Validated user privileges in localstore or SSO
####-##-##T##:##:## ## ### [####]INFO:vmware.appliance.vapi.auth:Authorization request for service_id: com.vmware.appliance.recovery.backup.job, operation_id: list
####-##-##T##:##:## ## ### [####]DEBUG:root:authorization_sso module offline
####-##-##T##:##:## ## ### [####]DEBUG:root:Reloading authorization_sso ...
####-##-##T##:##:## ## ### [####]DEBUG:vmware.appliance.extensions.authorization.authorization_sso:_system_domain: ########.######
####-##-##T##:##:## ## ### [####]DEBUG:vmware.appliance.extensions.authorization.authorization_sso:Looking up SSO endpoint for authorization
####-##-##T##:##:## ## ### [####]ERROR:root:Authorization module (authorization_sso) failed to initialize {[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:####)}
####-##-##T##:##:## ## ### [####]ERROR:root:Reload failed {[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:####)}
Environment
8.0 U3
Cause
The intermediate certificate is expired. Even though a new machine SSL with the updated root/chain certificate is already imported, the old certificate is still present. During the OVA upload, the system continues to use the expired certificate, which causes the failure.
Resolution
Remove the expired intermediate certificate from the trusted store and retry the OVA upload. After clearing the old certificate, the upload goes through successfully.
Removing CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store(VECS)
Feedback
Yes
No
Powered by
