Plug-in deployment task fails with error Plug-in configuration with Reverse Proxy failed
search cancel

Plug-in deployment task fails with error Plug-in configuration with Reverse Proxy failed

book

Article ID: 440673

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • The plug-in deployment task fails immediately at 0% with the following error:

    Plug-in configuration with Reverse Proxy failed.

  • The following symptoms are observed in the vSphere Client:

    • Navigating to Administration > Client Plugins shows the plug-in status as Failed.

    • Navigating to Administration > Roles displays a blank page and fails to load any data.

Environment

VMware vCenter Server 8.x

Cause

The vCenter Server utilizes a custom SSL configuration where the custom Root CA certificate in the TRUSTED_ROOTS store has expired. This invalidates the trust chain required for Reverse Proxy endpoint authentication, breaking plug-in configuration deployment and rendering database-dependent UI views blank.

Resolution

Step 1: Remove the Expired Root Certificate via CLI

  1. Take a snapshot of the vCenter Server Appliance (VCSA). If the vCenter participates in Enhanced Linked Mode (ELM), shut down all nodes before taking snapshots.
  2. Log in to the vCenter Server via SSH as root.
  3. List the certificates currently stored in the TRUSTED_ROOTS store to identify the expired entry:

    /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text | grep "Alias\|Not After\|Subject:\|Issuer:"

  4. Locate the expired custom Root CA certificate and record its literal Alias string (e.g., Alias : 2e7f...).
  5. Export and backup the identified certificate to the /root/ directory using its Alias ID:

    /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store TRUSTED_ROOTS --alias <Expired_Alias_ID> --output /root/expired_root_ca.cer

  6. Unpublish the expired Root CA certificate from the VMware Directory Service (VMDIR):

    /usr/lib/vmware-vmafd/bin/dir-cli trustedcert unpublish --cert /root/expired_root_ca.cer

    Note: Provide the Single Sign-On (SSO) administrator password when prompted.

Step 2: Import the New Trusted Root Certificate

Choose either the vSphere Client UI method or the CLI method to add the valid replacement certificate.

Method A: vSphere Client UI

  1. Log in to the vSphere Client using SSO administrator credentials ([email protected]).
  2. Navigate to Administration > Certificate Management > Trusted Root > ADD TRUSTED ROOT CERTIFICATE.
  3. Select the new valid Root CA certificate file, and complete the wizard.
  4. Reboot the vCenter Server to apply the changes globally.

Method B: CLI

  1. Upload the new, valid root certificate to the /root/ directory of the VCSA.
  2. Publish the new certificate to the VMDIR trusted certificate store:

    /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /root/<new-cert>.cer

    Note: Provide the SSO administrator credentials when prompted.
  3. Force a refresh of the VMware Endpoint Certificate Store (VECS) to immediately sync the published certificate changes from VMDIR:

    /usr/lib/vmware-vmafd/bin/vecs-cli force-refresh

  4. Restart all services on the vCenter Servers:

    service-control --stop --all
    service-control --start --all

Powered by Wolken Software