Content Library Sync Failure on vCenter hosted on Azure Due to DNS Resolution
search cancel

Content Library Sync Failure on vCenter hosted on Azure Due to DNS Resolution

book

Article ID: 422230

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • The Azure cloud vCenter (VCSA) could not sync Content Library images. Subscribed items appeared with a size of 0B.

  • While we were able to add a subscription using the on-prem vCenter IP address, it failed to add using the FQDN on the Azure cloud vCenter.

  • Initial checks indicated DNS resolution issues on the cloud side, including failed reverse lookups.

  • When adding the content library using the IP address, we see entries similar to

    /var/log/vmware/content-library/cls.log


     
    DEBUG    | mhba86e2-218044-auto-4o8t-h5:70065435 | tomcat-http-4             | CertificateTrustStrategy       | CertificateTrustStrategy isTrusted: sslThumbprint null, sslCertificate null sourceUrl https://##.#.##.##:443/cls/vcsp/lib/ac039e9e-####-####-####-##########/lib.json

ERROR    | mhba86e2-218044-auto-4o8t-h5:70065435 | tomcat-http-4             | VcspClientImpl                 | Remote library certificate error: certificate_unknown(46)org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(46)

Caused by: java.security.cert.CertificateException: Unable to construct a valid chain

Caused by: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.

DEBUG    | mhba86e2-218044-auto-4o8t-h5:70065435 | tomcat-http-4             | CertificateTrustStrategy  | getServerThumbprint:  algorithm SHA-1  host https://##.#.##.##:443/cls/vcsp/lib/ac039e9e-####-####-####-##########/lib.json

DEBUG    | mhba86e2-218044-auto-4o8t-h5:70065435 | tomcat-http-4             | HashMode  | VC_HASH_MODERNIZATION is not enabled
DEBUG    | null             | vAPI-client-connection-monitor | ConnectionMonitor              | Cleaned-up 7 connection pool(s)

DEBUG    | mhba86e2-218053-auto-4o92-h5:70065439 | tomcat-http-31 | CertificateTrustStrategy | CertificateTrustStrategy isTrusted: sslThumbprint null, sslCertificate null sourceUrl https://##.#.##.##:443/cls/vcsp/lib/ac039e9e-####-####-####-##########/lib.json

ERROR    | mhba86e2-218053-auto-4o92-h5:70065439 | tomcat-http-31   | VcspClientImpl  | Remote library certificate error: certificate_unknown(46) org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(46)

Environment

vCenter 8.x
vCenter 9.x

Cause

The Cloud vCenter could not resolve the on-premise FQDNs, and reverse DNS lookups failed

Resolution

  1. Reconfigure the proxy to use the customer’s Private DNS Resolver.
  2. Ensure the Private DNS Resolver has a forwarding rule to the customer’s Tier-1 DNS forwarder for the on-prem domain.
  3. Link the relevant private DNS zone(s) to the proxy’s VNet.
  4. Validate forward and reverse DNS resolution from the Azure cloud vCenter/proxy.
  5. Retest the Content Library subscription using the FQDN and confirm image sizes populate and synchronization completes successfully.
Powered by Wolken Software