vCenter Log Collection fails in VCF Operations with " PKIX path building failed " Error
search cancel

vCenter Log Collection fails in VCF Operations with " PKIX path building failed " Error

book

Article ID: 425086

calendar_today

Updated On:

Products

VCF Operations

Issue/Introduction

In VMware Cloud Foundation (VCF) Operations, vCenter Log Collection may fail with the following error:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Following error is found in the Cloud Proxy logs located at /vcf-log-forwarder/log/log-forwarder.log
Error while fetching and applying log collection configurations.
com.vmware.loginsight.logcollection.config.exception.ConfigurationFetchingException: Failed to retrieve configurations: Unauthorized - Please verify credentials.

Environment

VCF Operations 9.x.x
VCF Operations for Logs 9.x.x

Cause

The issue occurs due to invalid or expired credentials used by the Log Forwarder to authenticate with VCF Operations for Logs. Although the error message references a PKIX / certificate path failure, the underlying cause is typically an authorization failure between the Cloud Proxy Log Forwarder and the VCF Operations for Logs Primary Node. This can happen after credential rotation, certificate changes, or environment upgrades.

Resolution

Follow the steps below to reset the Log Forwarder credentials using the internal API on the VCF Operations for Logs Primary Node, restart the Log Forwarder service and restart the VCF Operations for Logs cluster.

Step 1: Retrieve an Authentication Session
- SSH to the VCF Operations for Logs Primary Node as root user
- Run the following command, replacing the placeholders with your environment details: 
curl --request POST \
  --url https://<VCF-OPS-LOGS-PRIMARY-IP_FQDN>:9543/api/v2/sessions \
  --header 'content-type: application/json' \
  --data '{
    "username": "<USERNAME>",
    "password": "<PASSWORD>",
    "provider": "Local"
  }' \
  -k

Note: Username and Password needs to be admin credentials. Copy the sessionId value from the returned JSON output. This will be used in the next step.
 
Step 2: Reset Log Forwarder Credentials
- Identify the Cloud Proxy ID from the VCF Operations UI under Cloud Proxies. Please ensure that you use the Cloud Proxy associated with the vCenter adapter that is experiencing the Log Collection issue.
- Use the session ID obtained earlier to reset the Log Forwarder credentials: 
curl --request PUT \
  --url https://<VCF-OPS-LOGS-PRIMARY-IP_FQDN>:9543/api/v2/internal/log-forwarder-credentials \
  --header 'Authorization: Bearer <LOGS-SESSION-ID>' \
  --header 'Content-Type: application/json' \
  --data '{
    "credentials": [
      {
        "opsProxyId": "<CLOUD_PROXY_ID>"
      }
    ]
  }' \
  -k
 
Step 3: Restart the Log Forwarder Service
- SSH into the Cloud Proxy appliance as the root user.
- Restart the Log Forwarder container: 
docker restart vcf-log-forwarder

Step 4: Restart the VCF Operations for Logs nodes
- Reboot all the nodes of VCF Operations for Logs cluster from the vCenter Server. 

Note: Status change to "Active" in the Log Collection UI might take a while to reflect.

Powered by Wolken Software