"Unable to find valid certification path to requested target" error when attempting to import a vApp Template into Cloud Director from an OVF URL
Article ID: 325502
Updated On:
Products
VMware Cloud Director
Issue/Introduction
Symptoms:
- Attempting to create a vApp Template in a Cloud Director Catalog using the option to import an OVF from a URL.
- The OVF is located in an S3 bucket such as one backed by Cloud Director Object Storage Extension.
- The vApp Template import task fails with an error in the /opt/vmware/vcloud-director/logs/vcloud-container-debug.log of the form:
at com.vmware.ts.impl.TransferItemFileFuture.isDone(TransferItemFileFuture.java:154)
at com.vmware.vcloud.common.future.FutureUtil.waitForFutureOrCancel(FutureUtil.java:134)
at com.vmware.ssdc.backend.services.impl.VAppUploadManagerImpl.getOvfDescriptorFromSocket(VAppUploadManagerImpl.java:2965)
at com.vmware.ssdc.backend.services.impl.VAppUploadManagerImpl.handleUploadOvfDescriptor(VAppUploadManagerImpl.java:2086)
at com.vmware.ssdc.backend.services.impl.VAppUploadManagerImpl.handleUploadBody(VAppUploadManagerImpl.java:2030)
at com.vmware.ssdc.backend.services.impl.VAppUploadManagerImpl.handleUpload(VAppUploadManagerImpl.java:1943)
at com.vmware.ssdc.backend.services.impl.VAppUploadManagerImpl.executeTask(VAppUploadManagerImpl.java:5012)
at com.vmware.vcloud.backendbase.management.system.TaskActivity$ExecutePhase$1.doInSecurityContext(TaskActivity.java:828)
at com.vmware.vcloud.backendbase.management.system.TaskActivity$ExecutePhase$1.doInSecurityContext(TaskActivity.java:823)
at com.vmware.vcloud.backendbase.management.system.SecurityContextTemplate.executeForOrgAndUser(SecurityContextTemplate.java:48)
at com.vmware.vcloud.backendbase.management.system.TaskActivity$ExecutePhase.execute(TaskActivity.java:830)
at com.vmware.vcloud.backendbase.management.system.TaskActivity$ExecutePhase.invokeInner(TaskActivity.java:726)
at com.vmware.vcloud.backendbase.management.system.TaskActivity$TaskActivityBasePhase.invoke(TaskActivity.java:342)
at com.vmware.vcloud.activity.executors.ActivityRunner.runPhase(ActivityRunner.java:175)
at com.vmware.vcloud.activity.executors.ActivityRunner.run(ActivityRunner.java:112)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.vmware.vcloud.common.future.FutureUtil.waitForFutureOrCancel(FutureUtil.java:134)
at com.vmware.ssdc.backend.services.impl.VAppUploadManagerImpl.getOvfDescriptorFromSocket(VAppUploadManagerImpl.java:2965)
at com.vmware.ssdc.backend.services.impl.VAppUploadManagerImpl.handleUploadOvfDescriptor(VAppUploadManagerImpl.java:2086)
at com.vmware.ssdc.backend.services.impl.VAppUploadManagerImpl.handleUploadBody(VAppUploadManagerImpl.java:2030)
at com.vmware.ssdc.backend.services.impl.VAppUploadManagerImpl.handleUpload(VAppUploadManagerImpl.java:1943)
at com.vmware.ssdc.backend.services.impl.VAppUploadManagerImpl.executeTask(VAppUploadManagerImpl.java:5012)
at com.vmware.vcloud.backendbase.management.system.TaskActivity$ExecutePhase$1.doInSecurityContext(TaskActivity.java:828)
at com.vmware.vcloud.backendbase.management.system.TaskActivity$ExecutePhase$1.doInSecurityContext(TaskActivity.java:823)
at com.vmware.vcloud.backendbase.management.system.SecurityContextTemplate.executeForOrgAndUser(SecurityContextTemplate.java:48)
at com.vmware.vcloud.backendbase.management.system.TaskActivity$ExecutePhase.execute(TaskActivity.java:830)
at com.vmware.vcloud.backendbase.management.system.TaskActivity$ExecutePhase.invokeInner(TaskActivity.java:726)
at com.vmware.vcloud.backendbase.management.system.TaskActivity$TaskActivityBasePhase.invoke(TaskActivity.java:342)
at com.vmware.vcloud.activity.executors.ActivityRunner.runPhase(ActivityRunner.java:175)
at com.vmware.vcloud.activity.executors.ActivityRunner.run(ActivityRunner.java:112)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Environment
VMware Cloud Director 10.x
Cause
Cloud Director will not import an OVF from URL unless it can trust the certificate presented when connecting to the remote endpoint.
Resolution
Ensure that Cloud Director can connect to the URL provided for the OVF import by ensuring that the remote endpoint provides a signed certificate or by importing the remote endpoint's certificate to Cloud Director's Trusted Certificates manually.
Manual Import
- Log into the Cloud Director Provider UI and navigate to Administration > Certificate Management > Trusted Certificates.
- Click the Test Remote Connection option, enter the URL from which the OVF is to be imported.
- Use HTTPS for the Hostname verification algorithm and click Connect.
- Trust the certificate returned to import it into Cloud Director's Trusted Certificates.
- Retry the Test Remote Connection and confirm that Cloud Director returns that the connection established successfully.
- The vApp Template import of OVF from URL should succeed now that Cloud Director trusts the remote endpoint's certificate.
Notes:
Make sure to test the connectivity between vCloud Director and vCenter and ALL the hosts inside the cluster where the OVF is being deployed
If the connection is successful without any pop-up window showing a certificate, it means vCloud Director already trusts the endpoint
If a pop-up shows up asking to trust and add that cert into the library means that endpoint is not yet trusted
If your ESXi are using VMCA certs you may need to renew them for vCloud Director to trust them as the CA issuing the certificates will become your own vCenter following these steps
Automatic Import
An automated way of retrieving certificates and trusting them automatically can be done this way:
- SSH to your primary vCloud director Cell and run the following command:
/opt/vmware/vcloud-director/bin/cell-management-tool trust-infra-certs --vsphere --unattended
If the issue persists after this automated process, please revisit all the steps from the Manual section
Feedback
Yes
No
Powered by
