vCenter Task alert shows error in downloading SDDC Manager Remote Plug-in

Products

VMware SDDC Manager VMware vCenter Server

Issue/Introduction

This article provides steps to identify the issue reported by vCenter Task console and how to remediate.

vCenter Task console shows error similar to:

"Error downloading plug-in. Make sure that the URL is reachable and the registered thumbprint is correct. Unable to find certificate chain."
"SDDC Manager Remote Plugin com.vmware.vcf.client:<sddc-version>"

vSphere client logs in vCenter server reports log entries similar to /var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log:

[yyyy-mm-ddThh:mm:ss.mssZ] [ERROR] sdk-plugin-deployer-22776 com.vmware.vise.plugin.status.RemotePluginStatusServiceImpl DOWNLOAD_FAILED: Error downloading pluginpackage com.vmware.vcf.client:5.2.1.24397684 from https://<vcenter-fqdn>:443/plugin/manifests.zip. Reason: Download error. Make sure that the URL is reachable and the thumbprint is correct.
[yyyy-mm-ddThh:mm:ss.mssZ] [ERROR] sdk-plugin-deployer-22776 com.vmware.vise.plugin.extension.VcExtensionManager Downloading plugin package: 'com.vmware.vcf.client:<sddc-version>' registered in vCenter: '<vcenter-fqdn> (######-####-####-####-#############)' has failed. java.util.concurrent.CompletionException: com.vmware.vise.plugin.download.PluginDownloadException: TlsFatalAlert: certificate_unknown(46) at java.util.concurrent.CompletableFuture.encodeThrowable(CompletableFuture.java:273)

Also confirm the certificate status by running VDT tool for SDDC manager. Refer to the following article on how to collect diagnostic data for SDDC Manager Using the VCF Diagnostic Tool for SDDC Manager

A similar output can be observed in the vdt report:

"<vCenter-fqdn>": [
{
"title": "Certificate Trust Check",
"result": "FAIL",
"details": [
"Root Cert is missing from keystore \"/etc/vmware/vcf/commonsvcs/trusted_certificates.store\" and \"/etc/alternatives/jre/lib/security/cacerts\".",
" - C=##, ST=##, L=####, O=###, OU=##, CN=<vCenter-fqdn>"],
"documentation": "https://knowledge.broadcom.com/external/article/316056",
"notes": "Refer to the KB above to add the Root Certificate to the keystores."
}

Cause

Issue occurrence is observed post certificate renew outside SDDC manager. This might lead to SDDC manager using older records of registered certificates, while communicating with vCenter server.

Resolution

The resolution is of two methods. Steps for each method has been mentioned below.

Note: Take a backup of SDDC manager and vCenter server. Do not proceed without this step.

Method 1:

Run the attached 'vcRootCaSync' script to correct the vCenter certificate and thus replace old certificate with an updated one in SDDC manager trust store.
For further details please refer to the steps mentioned in: How to import the vCenter root certificate into the SDDC manager TrustStore

Method 2:

Remove SDDC plugin from vCenter server

Navigate to vCenter server > Administration > Solutions > Client Plugins.
Select the plugin and remove the "SDDC Manager Remote Plugin"
Restart SDDC manager UI service from putty session
- Login to SDDC Manager as 'vcf' user via Putty client
- Switch to root user using 'su' command
- Restart SDDC Manager user service: systemctl restart sddc-manager-ui-app
- This will push the client plugin again.

To confirm, navigate to vCenter server > Administration > Solutions > Client Plugins. The status reads as 'Deployed'