Can 't launch Web Console from VCF Automation 9 VM, fails with "error received from server: vmware internal error 05".
search cancel

Can 't launch Web Console from VCF Automation 9 VM, fails with "error received from server: vmware internal error 05".

book

Article ID: 424325

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

  • When attempting to launch a virtual machine web console from VMware Cloud Foundation Automation (VCF Automation) version 9.0.x under Tenant/Organization > Virtual Machines > [Selected VM] > Web Console, the connection fails with the following error: error received from server: vmware internal error 05

 

  • This issue typically occurs within the Tenant Manager when there is a certificate trust mismatch between the Tenant Manager and the ESXi hosts managed by the Workload Domain vCenter.
  • We also see the following errors and stacktrace in the Tenant Manager logs ('/services-logs/prelude/node-name/tenant-manager-#/vcloud-container-debug/file-log-##########.log'):
    ####-##-## ##:##:##,### | ERROR    | nioEventLoopGroup-2-23    | NettyWebSocketClientHandler    | exceptionCaught, channel=[id: #, L:/###.###.###.###:### ! R:server.example.com/###.###.###.###:###] [server: [L=/###.###.###.###:### R=/###.###.###.###:###]] | io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(##)    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:#)    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:#)    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:#)    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:#)    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:#)    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:#)    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:#)    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:#)    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:#)    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:#)    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:#)    at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:#)    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:#)    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:#)    at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:#)    at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:#)    at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:#)    at java.base/java.lang.Thread.run(Thread.java:#)Caused by: javax.net.ssl.SSLException: org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(#)    at org.bouncycastle.jsse.provider.ProvSSLEngine.unwrap(ProvSSLEngine.java:#)    at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:#)    at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:#)    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:#)    at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:#)    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:#)    at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:#)    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:#)    ... # moreCaused by: org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(#)    at org.bouncycastle.jsse.provider.ProvSSLEngine.checkServerTrusted(ProvSSLEngine.java:#)    at org.bouncycastle.jsse.provider.ProvTlsClient$#.notifyServerCertificate(ProvTlsClient.java:#)    at org.bouncycastle.tls.TlsUtils.processServerCertificate(TlsUtils.java:#)    at org.bouncycastle.tls.TlsClientProtocol.handleServerCertificate(TlsClientProtocol.java:#)    at org.bouncycastle.tls.TlsClientProtocol.receive#ServerCertificate(TlsClientProtocol.java:#)    at org.bouncycastle.tls.TlsClientProtocol.handle#HandshakeMessage(TlsClientProtocol.java:#)    at org.bouncycastle.tls.TlsClientProtocol.handleHandshakeMessage(TlsClientProtocol.java:#)    at org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(TlsProtocol.java:#)    at org.bouncycastle.tls.TlsProtocol.processRecord(TlsProtocol.java:#)    at org.bouncycastle.tls.RecordStream.readFullRecord(RecordStream.java:#)    at org.bouncycastle.tls.TlsProtocol.safeReadFullRecord(TlsProtocol.java:#)    at org.bouncycastle.tls.TlsProtocol.offerInput(TlsProtocol.java:#)    at org.bouncycastle.jsse.provider.ProvSSLEngine.unwrap(ProvSSLEngine.java:#)    ... # moreCaused by: java.security.cert.CertificateException: Unable to construct a valid chain    at org.bouncycastle.jsse.provider.ProvX#TrustManager.validateChain(ProvX#TrustManager.java:#)    at org.bouncycastle.jsse.provider.ProvX#TrustManager.checkTrusted(ProvX#TrustManager.java:#)    at org.bouncycastle.jsse.provider.ProvX#TrustManager.checkServerTrusted(ProvX#TrustManager.java:#)    at org.bouncycastle.jsse.provider.ExportX#TrustManager_#.checkServerTrusted(ExportX#TrustManager_#.java:#)    at com.vmware.vcloud.common.crypto.ssl.TenantAwareTrustManager.checkServerTrusted(TenantAwareTrustManager.java:#)    at com.vmware.vcloud.common.crypto.ssl.DelegatingTrustManager.checkTrust(DelegatingTrustManager.java:#)    at com.vmware.vcloud.common.crypto.ssl.DelegatingTrustManager.checkServerTrusted(DelegatingTrustManager.java:#)    at org.bouncycastle.jsse.provider.ImportX#TrustManager_#.checkServerTrusted(ImportX#TrustManager_#.java:#)    at org.bouncycastle.jsse.provider.ProvSSLEngine.checkServerTrusted(ProvSSLEngine.java:#)    ... # moreCaused by: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.    at org.bouncycastle.jcajce.provider.PKIXCertPathBuilderSpi_#.engineBuild(Unknown Source)    at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:#)    at org.bouncycastle.jsse.provider.ProvX#TrustManager.buildCertPath(ProvX#TrustManager.java:#)    at org.bouncycastle.jsse.provider.ProvX#TrustManager.validateChain(ProvX#TrustManager.java:#)    ... # more#-#-# #:#:#,# | DEBUG    | nioEventLoopGroup-#-#    | ServerWebSocket                | onClose: status=#,#, reason=vmware internal error # [server: [L=/#.#.#.#:# R=/#.#.#.#:#]] [client: [id: ########, L:/#.#.#.#:# ! R:server.example.com/#.#.#.#:#]] |

Environment

VCF Automation 9.0.x

 

Cause

The Tenant Manager does not trust the SSL certificates of the ESXi hosts linked to the Workload Domain vCenter.

When the console request is proxied, the certificate validation fails, resulting in the internal server error.

Resolution

To resolve this issue, you must ensure the ESXi host certificates are trusted by the Tenant Manager by performing the following steps:

  1. Identify the failing certificates: Note the ESXi hosts associated with the Workload Domain vCenter where the VMs reside.
  2. Export Certificates: Obtain the Root CA or the specific host certificates for the ESXi fleet.
  3. Import to Tenant Manager: Navigate to the certificate management section of the Tenant Manager and import the ESXi/vCenter certificates into the trusted store.
  4. Verify Trust: Ensure that the browser or the proxy service used by Aria Automation can validate the certificate chain without errors.
  5. Test Console: Refresh the VMware Aria Automation UI and attempt to launch the Web Console again.
Powered by Wolken Software