Unable to deploy OVF using vSphere Client when a HTTPS Proxy is configured
search cancel

Unable to deploy OVF using vSphere Client when a HTTPS Proxy is configured

book

Article ID: 321922

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Unable to deploy OVF using vSphere Web client in vCenter Server 7.0 and above when using an HTTPS Proxy Server.

   For a similar issue, see "cannot authenticate SSL certificate for proxy" in Content Library for vCenter HTTPs Proxy Support

  • Exporting VM to OVF may result in an error 500 in the web browser.
  • When trying to deploy OVF/OVA through vCenter UI, may see error similar to below: 
    A general system error occurred:Transfer failed:Invalid response code: 503, note that HTTP/s proxy is configured for the transfer.
  • You see the following errors in /var/log/vmware/vpxd.log similar to:
  • Unrecognized SSL message, plaintext connection?, note that HTTP/s proxy is configured for the transfer
    [YYYY-MM-DDTHH:MM:SS] info vpxd[#####] [Originator@#### sub=Default opID=#######-##] [VpxLRO] -- ERROR task-###### -- <VMNAME> -- ResourcePool.ImportVAppLRO: vim.fault.OvfImportFailed:
--> Result:
--> (vim.fault.OvfImportFailed) {
-->  faultCause = (vmodl.fault.SystemError) {
-->   faultCause = (vmodl.MethodFault) null,
-->   faultMessage = (vmodl.LocalizableMessage) [
-->     (vmodl.LocalizableMessage) {
-->      key = "com.vmware.ovfs.ovfs-main.ovfs.transfer_failed",
-->      arg = (vmodl.KeyAnyValue) [
-->        (vmodl.KeyAnyValue) {
-->         key = "0",
-->         value = "Invalid response code: 403, note that HTTP/s proxy is configured for the transfer"
-->      message = "Transfer failed: Invalid response code: 403, note that HTTP/s proxy is configured for the transfer."
-->   reason = ""
-->   msg = "Transfer failed: Invalid response code: 403, note that HTTP/s proxy is configured for the transfer."
-->  faultMessage = <unset>
  • Error code above may also show for Invalid response code 503
  • You can also see the following messages in /var/log/vmware/content-library/cls.log 
    ovf.transfer_failed
Server not trusted: certificate_unknown(46), note that HTTP/S proxy is configured for the transfer

Environment

  • VMware vCenter Server 8.0.x
  • VMware vCenter Server 7.0.x

Cause

  • This issue occurs when the OVF deployment process is unable to connect to the proxy server with the error: 
    Transfer failed: Invalid response code: 403, note that HTTP/s proxy is configured for the transfer.
Transfer failed: Server not trusted, certificate unknown
  • This Invalid response code: 403 is a response from the PROXY server indicating that the resource you are attempting to reach is not allowed access.
  • The OVF transfer requires an HTTPS capable proxy when a proxy is in use. Ensure the proxy is HTTPS capable or use the workarounds below to bypass the proxy.

Resolution

Broadcom is aware of this issue and is working on a fix.

To workaround the issue, follow the below steps:

Disable to the Proxy in the vCenter VAMI 5480 as a test and try it again. Use one of the below methods (Note that the following is case sensitive):

  1. SSH to vCenter appliance with root user.
  2. Modify the HTTPS PROXY configuration to use HTTP:
    1. Modify the /etc/sysconfig/proxy file. Change the HTTPS_PROXY line to update the value from https to http:
      HTTPS_PROXY="https://proxy.example.com:3128/"
to 
HTTPS_PROXY="http://proxy.example.com:3128/"
       
    2. If the FQDN of the proxy server does not work, you can alternatively use its IP address.
    3. Reboot the VCSA if you are on a version prior to 7.0 U1. Otherwise, restart services with the command:
      service-control --stop --all && service-control --start --all
  3. Add the host(s) to the NO_PROXY config to bypass the proxy:
    1. Modify the /etc/sysconfig/proxy file and add the ESXi host FQDN's or IP's to the following line, separated by a comma followed by a space character.
      NO_PROXY="localhost, 127.0.0.1, <esxi_hostname>.example.com"
  4. Attempt the OVF deployment from the content library and the vSphere Client.

    Note: In some cases it can be necessary to reboot the vCenter Server to apply the change

 

Note

Content library in vCenter 7.0U1c and newer versions include support to specify a CIDR notation (1.2.3.4/24)/netmask notation (1.2.3.4/255.255.255.0) or a wildcard with a leading full stop (".") as in  .*.vmware.com.

Please note that wildcard entries must start with a full stop. 

For File based Backup and Restore you need to explicitly mention FQDN/IP of backup server. For more information, see No_Proxy requirement for vCenter File based Backup and Restore

For example:

NO_PROXY="localhost, 127.0.0.1, .*.example.com, 10.0.0.1/24"


Using a wildcard proxy has its limitations:

  • File-based backup and restore may be affected.
  • VMware Appliance Management UI (VAMI) does not support adding a proxy/no-proxy with a wildcard. 
  • Linux commands like wget, curl do not support wildcard/CIDR/netmask notation in NO_PROXY.

Additional Information

This issue is being checked by Diagnostics for VMware Cloud Foundation.

The check is as follows:

  • Product: vCenter
  • Log File: vpxd.log
  • Log Expression Check "Transfer failed: Invalid response code: 403" AND "HTTP/s proxy is configured for the transfer"
Powered by Wolken Software