vCenter Brownfield Import to VCF fails with error "Remote_vc_validator: SSH Key not trusted."
search cancel

vCenter Brownfield Import to VCF fails with error "Remote_vc_validator: SSH Key not trusted."

book

Article ID: 429490

calendar_today

Updated On:

Products

VMware SDDC Manager / VCF Installer

Issue/Introduction

During the brownfield import of a vCenter into VMware Cloud Foundation (VCF), the process fails during the validation phase:



The Brownfield deployment logs are reporting the following error in: /var/log/vmware/vcf/domainmanager/brownfield/#####/vcf-brownfield.log

[DD-MM-YYYY] [INFO] remote_vc_validator:50: Validating root SSH password for vCenter ####
[DD-MM-YYYY] [INFO] local_command_utils:126: Discovered SSH keys for 1 server(s)
[DD-MM-YYYY] [INFO] sddc_manager_helper:455: Retrieving SDDC Manager known hosts
[DD-MM-YYYY] [INFO] request_helper:25: Response status from retrieving known hosts: 200
[DD-MM-YYYY] [INFO] trust_ssh_keys:36: Found 2 untrusted SSH keys out of 2
[DD-MM-YYYY] [INFO] trust_ssh_keys:41: Ran in non-interactive mode with skip thumbprint validation enabled, auto-accepting SSH keys
[DD-MM-YYYY] [INFO] sddc_manager_helper:431: Importing known hosts in SDDC Manager
[DD-MM-YYYY] [INFO] request_helper:25: Response status from known hosts import: 200
[DD-MM-YYYY] [INFO] sddc_manager_helper:455: Retrieving SDDC Manager known hosts
[DD-MM-YYYY] [INFO] request_helper:25: Response status from retrieving known hosts: 200
[DD-MM-YYYY] [CRITICAL] remote_vc_validator:58: SSH key not trusted. Exiting

Environment

VMware Cloud Foundation (VCF) 9.x

Cause

The failure is caused by a case-sensitivity mismatch between how the vCenter FQDN is stored and how it is queried by the brownfield import script.

The commonsvcs component saves known host keys using uppercase vCenter FQDN in the following locations:

  • /etc/vmware/vcf/commonsvcs/known_hosts
  • /home/vcf/.ssh/known_hosts
  • /root/.ssh/known_hosts

However, during the import, the domainmanager executes the vcf_brownfield.py script, which performs a GET request via the commonsvcs API. This query searches for lowercase host keys. Because the keys are stored in uppercase, the API does not find a match, resulting in the "[CRITICAL] remote_vc_validator:58: SSH key not trusted" error.

Resolution

To resolve this issue, manually add the host keys for the vCenter to the relevant known_hosts files on the SDDC Manager or VCF Installer.

NOTE: Take a non-memory snapshot of the vCenter VM before applying any changes.

  1. Log in to the SDDC Manager or VCF Installer appliance via SSH.

  2. Generate the SSH keys for the target vCenter using the following command (replace <vCenter FQDN> with the actual FQDN of the vCenter in lowercase):
    ssh-keyscan -t rsa,ecdsa <vCenter FQDN>

  3. Append the output of the above command into the files below:
    • /etc/vmware/vcf/commonsvcs/known_hosts
    • /root/.ssh/known_hosts
    • /home/vcf/.ssh/known_hosts
  4. Retry the brownfield import from the SDDC Manager or VCF Installer. 
Powered by Wolken Software