OPERATIONAL DEFECT DATABASE
...
...
After a PNID change on VCSA, you are unable to create a customization spec in the GUI. It fails with the following error "Create customization specification failed!" "vim.fault.Notfound"You may see the following in /var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log[2019-10-01T08:44:26.317Z] [ERROR] http-nio-5090-exec-40 70000153 100004 200001 c.v.v.c.vm.customizations.impl.VmCustomizationMutationProvider Error occurred while creating vm customization spec. com.vmware.vim.binding.vmodl.fault.SystemError: vim.fault.NotFound at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at java.lang.Class.newInstance(Class.java:442) at com.vmware.vim.vmomi.core.types.impl.ComplexTypeImpl.newInstance(ComplexTypeImpl.java:174) at com.vmware.vim.vmomi.core.types.impl.DefaultDataObjectFactory.newDataObject(DefaultDataObjectFactory.java:25) at com.vmware.vim.vmomi.core.soap.impl.unmarshaller.ComplexStackContext.<init>(ComplexStackContext.java:30) at com.vmware.vim.vmomi.core.soap.impl.unmarshaller.UnmarshallerImpl$UnmarshallSoapFaultContext.parse(UnmarshallerImpl.java:159) at com.vmware.vim.vmomi.core.soap.impl.unmarshaller.UnmarshallerImpl$UnmarshallSoapFaultContext.unmarshall(UnmarshallerImpl.java:105) at com.vmware.vim.vmomi.core.soap.impl.unmarshaller.UnmarshallerImpl.unmarshalSoapFault(UnmarshallerImpl.java:92) at com.vmware.vim.vmomi.core.soap.impl.unmarshaller.UnmarshallerImpl.unmarshalSoapFault(UnmarshallerImpl.java:86) at com.vmware.vim.vmomi.client.common.impl.SoapFaultStackContext.setValue(SoapFaultStackContext.java:40) at com.vmware.vim.vmomi.client.common.impl.ResponseUnmarshaller.processNextElement(ResponseUnmarshaller.java:127) at com.vmware.vim.vmomi.client.common.impl.ResponseUnmarshaller.unmarshal(ResponseUnmarshaller.java:70) at com.vmware.vim.vmomi.client.common.impl.ResponseImpl.unmarshalResponse(ResponseImpl.java:284) at com.vmware.vim.vmomi.client.common.impl.ResponseImpl.setResponse(ResponseImpl.java:239) at com.vmware.vim.vmomi.client.http.impl.HttpExchangeBase.parseResponse(HttpExchangeBase.java:156) at com.vmware.vim.vmomi.client.http.impl.HttpAsyncExchange$1$2.run(HttpAsyncExchange.java:149) at com.vmware.vim.vmomi.core.impl.BlockingFuture.executeRunnable(BlockingFuture.java:150) at com.vmware.vim.vmomi.core.impl.BlockingFuture.get(BlockingFuture.java:75) at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl$RetryingFuture.get(MethodInvocationHandlerImpl.java:588) at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl$CallExecutor.executeCall(MethodInvocationHandlerImpl.java:682) at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl.completeCall(MethodInvocationHandlerImpl.java:371) at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl.invokeFetch(MethodInvocationHandlerImpl.java:347) at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl.invoke(MethodInvocationHandlerImpl.java:191) at com.sun.proxy.$Proxy946.getEncryptionKey(Unknown Source)Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
After changing the PNID (Primary Network Identifier) of the vCenter machine, the key usage parameter is changed in the data-encipherment.crt located in /etc/vmware-vpx/ssl/Before:$ openssl x509 -in before/data-encipherment.crt -purpose -noout -text... X509v3 extensions: X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data EnciphermentAfter:$ openssl x509 -in after/data-encipherment.crt -purpose -noout -text... X509v3 extensions: X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment
This issue is resolved in VMware vCenter Server 6.7 U3b, available at VMware Downloads .
See workaround below - Ensure you have a valid backup before making any changes:1. Delete the data-encipherment entry from vecs-store/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store data-encipherment --alias data-encipherment --server localhost --upn administrator@vsphere.local2. Create private and public key pairs/usr/lib/vmware-vmca/bin/certool --genkey --privkey=/etc/vmware-vpx/ssl/data-encipherment.key --pubkey=/etc/vmware-vpx/ssl/data-encipherment.pub3. Create certfile for data encipherment: (Replace FQDN with your machine Fully Qualified Domain Name)/usr/lib/vmware-vmca/bin/certool --server=FQDN --genCIScert --dataencipherment --privkey=/etc/vmware-vpx/ssl/data-encipherment.key --cert=/etc/vmware-vpx/ssl/data-encipherment.crt --Name=data-encipherment --FQDN=FQDN4. Verify if new cert is located in VECS store with :/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store data-encipherment --text | lessNumber of entries in store : 1Check validity date/subject name to verify its new and under Key Usage if the following are present:Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment5. Restart all services.Note: If the cert is not located in the data-encipherment VECS store, create the vecs-store entry as below :/usr/lib/vmware-vmafd/bin/vecs-cli entry create --store data-encipherment --alias data-encipherment --server localhost --upn administrator@vsphere.local --cert /etc/vmware-vpx/ssl/data-encipherment.crt --key /etc/vmware-vpx/ssl/data-encipherment.keyThen Restart all services. Stopping, Starting or Restarting VMware vCenter Server Appliance 6.x services
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
