VCF Operations SFTP Backup Configuration Fails With Unable to Fetch Fingerprint
search cancel

VCF Operations SFTP Backup Configuration Fails With Unable to Fetch Fingerprint

book

Article ID: 438637

calendar_today

Updated On:

Products

VCF Operations

Issue/Introduction

  • Configuring an SFTP server for backups in VCF Operations fails. The UI displays the error: "Unable to fetch fingerprint for FQDN - <SFTP_SERVER_IP>".

  • The /var/log/vrlcm/vmware_vrlcm.log records errors indicating ssh-keyscan command failed with exit code: 1 while fetching rsa public key.
    YYYY-MM-DDTHH:MM:SSZ INFO vrlcm[1615] [http-nio-8080-exec-10] [c.v.v.l.1.c.CertificateManagementController]-- Request received to get rsa key from <SFTP_SERVER_IP>
    YYYY-MM-DDTHH:MM:SSZ INFO vrlcm[1615] [http-nio-8080-exec-10] [c.v.v.l.1.s. CertificateManagementService] -- Fetching rsa public key from <SFTP_SERVER_IP>
    YYYY-MM-DDTHH:MM:SSZ ERROR vrlcm[1615] [http-nio-8080-exec-10] [c.v.v.l.u.CertificateUtil] -- ssh-keyscan command failed with exit code: 1
    YYYY-MM-DDTHH:MM:SSZ ERROR vrlcm[1615] [http-nio-8080-exec-10] [c.v.v.l.u. CertificateUtil] -- Failed to get key from host.
    java. lang. RuntimeException: Failed to get key from <SFTP_SERVER_IP>

  • This issue occurs even when using standard port 22 and is distinct from custom port failures addressed in KB - Unable to configure SFTP Settings in VCF Operations for VCFA or VIDB when using an sftp server with a custom port

Environment

VCF Operations 9.x

Cause

  • The VCF Operations fleet management backup component requires the target SFTP server to support and present both of the following SSH public key types:
    • 2048-bit RSA SSH public key
    • 256-bit ECDSA SSH public key
  • If the target SFTP server (e.g., Titan SFTP) is configured to only offer an ECDSA key, the ssh-keyscan utility fails to retrieve the mandatory RSA fingerprint, causing the configuration workflow to terminate. Manual verification can be performed by running the following command from the VCF Operations appliance: ssh-keyscan -p 22 [SFTP_SERVER_IP]
  • If the output only returns an ecdsa-sha2-nistp256 fingerprint and lacks an ssh-rsa fingerprint, the server does not meet the requirements.

Resolution

Reconfigure the cryptographic settings on the target SFTP server to enable and present both RSA and ECDSA SSH public keys simultaneously.

  1. Access the administration console of your SFTP server.
  2. Enable the RSA host key algorithm (ensuring it is 2048-bit).
  3. Ensure the ECDSA host key algorithm remains enabled (256-bit).
    Note: If the interface restricts selecting multiple key algorithms at the same time, contact SFTP vendor support
  4. Restart the SFTP service if required by the vendor software.
  5. Retry the SFTP backup configuration in the VCF Operations UI.

Once both keys are presented, the system will successfully retrieve the SHA256 fingerprint of the RSA key and complete the configuration.

Additional Information

Reconfigure SFTP Backups for SDDC Manager and NSX Manager

Powered by Wolken Software