VCDA Provider Portal: Tunnel Connectivity Fails with "Generic error during SSL handshake"
search cancel

VCDA Provider Portal: Tunnel Connectivity Fails with "Generic error during SSL handshake"

book

Article ID: 417308

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

When configuring a new cloud site in VMware Cloud Director Availability (VCDA) 4.x, you observe the following:

  • In the VCDA Provider Portal, navigating to System Health shows the Tunnel Connectivity status as "Down."

  • The associated error message is: Generic error during SSL handshake.

Environment

VMware Cloud Director Availability 4.x

Cause

This error indicates a failed SSL/TLS trust relationship. The peer site (e.g., an on-premises VCDA appliance) cannot validate or trust the SSL certificate presented by the provider's VCDA components.

You can confirm this by examining the cloud.log on the VCDA appliance, which will contain an error message similar to the one below. The key part is "unable to find valid certification path to requested target," which explicitly points to a certificate trust issue.

Logs: (/opt/vmware/h4/cloud/log/cloud.log):

com.vmware.exception.GenericSSLException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Resolution

To resolve this, you must re-establish the broken trust relationship. This can typically be done by re-confirming the service endpoints in the VCDA UIs, which forces a re-trust of the associated certificates.

Follow these two procedures.

1: Re-establish Trust with the Lookup Service

This procedure re-trusts the vCenter Lookup Service, which is essential for core VCDA communication.

  1. Log in to the Replication Management Portal (Appliance Management UI) as the root user.

    • URL: https://<VCDA-Appliance-FQDN>:8441/ui/admin

  2. Navigate to Configuration in the left-hand menu.

  3. Go to Service endpoints > Lookup Service Address and click Edit.

  4. Re-enter or confirm the correct Lookup Service address (e.g., your vCenter FQDN) and click Apply. This action forces VCDA to re-fetch and trust the Lookup Service certificate.

  5. After applying, you must re-pair the local replicator with the manager to ensure the new trust settings are fully propagated.

2: Verify and Re-save the Tunnel Endpoint

This procedure specifically re-establishes trust for the public-facing Tunnel service, which is what the peer site connects to.

  1. Log in to the VCDA Provider UI.

    • URL: https://<VCDA-Manager-FQDN>/provider

  2. Navigate to Configuration > Service Endpoints.

  3. Find the Tunnel section and click the Edit (pencil) icon.

  4. Verify the Tunnel Public Address is correct. This FQDN or IP address must be correct and reachable by all on-premises tenants.

    • Example: https://vcda-tunnel.your-cloud.com:8048

  5. Even if the address is already correct, click Save. This action re-applies the configuration and forces a re-authentication, which helps re-establish the SSL trust for the tunnel endpoint.

After completing these steps, return to the System Health page to verify that the Tunnel Connectivity status is now "Up."

Powered by Wolken Software