Unable to deploy OVF using vSphere Client in vCenter Server 7.0 or 8.0 when a HTTPS Proxy is configured
search cancel

Unable to deploy OVF using vSphere Client in vCenter Server 7.0 or 8.0 when a HTTPS Proxy is configured

book

Article ID: 321922

calendar_today

Updated On: 04-01-2025

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

  • Unable to deploy OVF using vSphere Web client in vCenter Server 7.0 and above when using an HTTPS Proxy Server.
  • Exporting VM to OVF may result with an error 500 in the web browser.

  • You see the following errors in /var/log/vmware/vpxd.log similar to: 
    Unrecognized SSL message, plaintext connection?, note that HTTP/s proxy is configured for the transfer
    [YYYY-MM-DDTHH:MM:SS] info vpxd[14866] [Originator@6876 sub=Default opID=2b691553-01] [VpxLRO] -- ERROR task-1978410 -- UPSA913s-x64-VM01-noV
APP -- ResourcePool.ImportVAppLRO: vim.fault.OvfImportFailed:
--> Result:
--> (vim.fault.OvfImportFailed) {
-->  faultCause = (vmodl.fault.SystemError) {
-->   faultCause = (vmodl.MethodFault) null,
-->   faultMessage = (vmodl.LocalizableMessage) [
-->     (vmodl.LocalizableMessage) {
-->      key = "com.vmware.ovfs.ovfs-main.ovfs.transfer_failed",
-->      arg = (vmodl.KeyAnyValue) [
-->        (vmodl.KeyAnyValue) {
-->         key = "0",
-->         value = "Invalid response code: 403, note that HTTP/s proxy is configured for the transfer"
-->      message = "Transfer failed: Invalid response code: 403, note that HTTP/s proxy is configured for the transfer."
-->   reason = ""
-->   msg = "Transfer failed: Invalid response code: 403, note that HTTP/s proxy is configured for the transfer."
-->  faultMessage = <unset>

     

  • You can also see following messages in /var/log/vmware/content-library/cls.log 

ovf.transfer_failed

Server not trusted: certificate_unknown(46), note that HTTP/S proxy is configured for the transfer

Environment

VMware vCenter Server 8.0
VMware vCenter Server 7.0

Cause

This issue occurs when the OVF deployment process is unable to connect to the proxy server with the error: 

Transfer failed: Invalid response code: 403, note that HTTP/s proxy is configured for the transfer.
Transfer failed: Server not trusted, certificate unknown


This Invalid response code: 403 is a response from the PROXY server indicating that the resource you are attempting to reach is not allowed access.

The OVF transfer requires an HTTPS capable proxy when a proxy is in use. Ensure the proxy is HTTPS capable or use the workarounds below to bypass the proxy.

Resolution

Currently there is no resolution. Please subscribe to this article to get informed when a fix is available.

Workaround:

0. Disable to the Proxy in the vCenter VAMI 5480 as a test and try it again.  

To workaround this issue, use one of the below methods (Note that the following is case sensitive):

1. Modify the HTTPS PROXY configuration to use HTTP:

  • Modify the /etc/sysconfig/proxy file. Change the HTTPS_PROXY line to update the value from https to http:

    HTTPS_PROXY="https://proxy.example.com:3128/"

    to

    HTTPS_PROXY="http://proxy.example.com:3128/"

     

  • If the FQDN of the proxy server does not work, you can alternatively use its IP address

  • Reboot the VCSA if you are on a version prior to 7.0 U1. Otherwise, restart services with the command:

    # service-control --stop --all && service-control --start --all

     

2. Add the hosts to the NO_PROXY config to bypass the proxy:

  • Connect to the vCenter Server with a SSH session

  • Modify the /etc/sysconfig/proxy file and add the ESXi host FQDN's or IP's to the following line, separated by a comma followed by a space character.

For Example:

NO_PROXY="localhost, 127.0.0.1, <hostname>.example.com"

  • Attempt the OVF deployment from the content library and the vSphere Client.

  • In some cases it can be necessary to reboot the vCenter Server to apply the change

 

Note:

Content library in vCenter 7.0U1c and newer versions include support to specify a CIDR notation (1.2.3.4/24)/netmask notation (1.2.3.4/255.255.255.0) or a wildcard with a leading full stop (".") as in  .*.vmware.com.

Please note that wildcard entries must start with a full stop. 

For File based Backup and Restore you need to explicitly mention FQDN/IP of backup server. For more information, see No_Proxy requirement for vCenter File based Backup and Restore (313480)

For example:

NO_PROXY="localhost, 127.0.0.1, .*.example.com, 10.0.0.1/24"


Using a wildcard proxy has its limitations:
- File-based backup and restore may be affected.
- VMware Appliance Management UI (VAMI) does not support adding a proxy/no-proxy with a wildcard. 
- Not all components in vCenter accepts NO_PROXY with wildcard characters. 
  For example, Linux commands like wget, curl don't support wildcard/CIDR/netmask notation in NO_PROXY. 

 

Additional Information

This issue is being checked by Diagnostics for VMware Cloud Foundation.

The check is as follows:

  • Product: vCenter
  • Log File: vpxd.log
  • Log Expression Check "Transfer failed: Invalid response code: 403" AND "HTTP/s proxy is configured for the transfer"

 

Powered by Wolken Software