HCX Service Mesh creation failed during the OVF upload when TLS 1.3 is enabled
search cancel

HCX Service Mesh creation failed during the OVF upload when TLS 1.3 is enabled

book

Article ID: 427616

calendar_today

Updated On:

Products

VMware HCX

Issue/Introduction

  • When deploying Service Mesh appliances in VMware HCX, the operation fails during the OVF upload stage.
  • The environment is configured with TLS 1.3.
    openssl s_client -connect <VC FQDN>:443 -tls1_2
    CONNECTED(00000003)
    ############:error:########:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1605:SSL alert number 70
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 7 bytes and written 217 bytes
    Verification: OK
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol : TLSv1.2
        Cipher : 0000
        Session-ID:
        Session-ID-ctx:
        Master-Key:
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        Start Time: ############
        Timeout : 7200 (sec)
        Verify return code: 0 (ok)
        Extended master secret: no
    ---
  • The following errors are observed in the HCX /common/logs/admin/app.log:
    [OvfUploadService_SvcThread-3, Ent: HybridityAdmin, , TxId: TxId: ######-####-####-####-############] ERROR c.v.v.h.a.vcenter.VcConnection- Error Logging onto VCenter:https://<VC FQDN> User:<User>, message: javax.net.ssl.SSLPeerUnverifiedException: No peer identity established
    [OvfUploadService_SvcThread-3, Ent: HybridityAdmin, , TxId: TxId: ######-####-####-####-############] ERROR c.v.v.h.s.ovfupload.OvfUploadJob- Error in uploading Ovf
    java.lang.RuntimeException: The configuration for this VCenter UUID : ######-####-####-####-############, URL:https://<VC FQDN> in Appliance Config is incomplete, please check credentialls and validity of vc certificate

Environment

VMware HCX
vCenter is configured with TLS 1.3

Cause

TLS 1.3 is not currently supported for VMware HCX 4.11.x or 9.0.x releases. The OVF upload service fails to establish a peer identity when this protocol version is enforced. 

Resolution

Support for TLS 1.3 is scheduled for inclusion in release 9.1 and later.

To resolve this issue, configure the environment to use a supported TLS version (such as TLS 1.2) for HCX communications.

  1. Review the security protocols enabled on the vCenter Server and underlying infrastructure.
  2. Ensure that TLS 1.2 is enabled.
  3. Retry the Service Mesh appliance creation.
Powered by Wolken Software