Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Attempting to Edit the vCenter Server connection details in the Cloud Director Provider UI fails with an error of the form: [ <REQUEST_UUID> ] Failed to retrieve VSphere urn:vcloud:vimserver:<VCENTER_UUID>'s designated Certificate Authority (VMCA) certificate. Please review KB 78885 to review and verify proper integration into your VSphere infrastructure. - Error response received from VCenter while trying to fetch VMCA Attempting to trust the vCenter Server certificates using the /opt/vmware/vcloud-director/bin/cell-management-tool trust-infra-certs --vsphere --unattended command fails with output of the form: Downloading certificates for X host(s), including 1 vCenter(s): vcenter.example.com [Download: FAILURE] The /opt/vmware/vcloud-director/logs/cell-management-tool.log shows an error of the form: | WARN | main | AutoTrustInfraCertificates | Couldn't fetch vmca from vcenter https://vcenter.example.com/api via VAPI /vcenter/certificate-authority/get-root Response status code: 403, Response body: {"error_type":"UNAUTHORIZED","messages":[{"args":[],"default_message":"Permission to perform this operation was denied.","id":"com.vmware.vapi.authorization.permission.denied"}]} |...| DEBUG | ForkJoinPool.commonPool-worker-5 | AutoTrustInfraCertificates | Could not connect to host: vcenter.example.com, certificates for this host will not be trusted. |java.lang.ClassCastException: class sun.net.www.protocol.http.HttpURLConnection cannot be cast to class javax.net.ssl.HttpsURLConnection (sun.net.www.protocol.http.HttpURLConnection and javax.net.ssl.HttpsURLConnection are in module java.base of loader 'bootstrap') at com.vmware.vcloud.trustedcertificates.cmt.CertificatesUtil.retrieveCertFromAIA(CertificatesUtil.java:124) at com.vmware.vcloud.trustedcertificates.cmt.CertificatesUtil.getRootCaCert(CertificatesUtil.java:52) at com.vmware.vcloud.trustedcertificates.cmt.AutoTrustInfraCertificates.downloadCertificate(AutoTrustInfraCertificates.java:534) at com.vmware.vcloud.trustedcertificates.cmt.AutoTrustInfraCertificates.lambda$gatherCertificates$9(AutoTrustInfraCertificates.java:345) Manually performing the vCenter API call to get the certificates using the same vCenter Server user as Cloud Director fails: curl -k -v -X GET https://vcenter.example.com/api/vcenter/certificate-authority/get-root -H "vmware-api-session-id: {session-id}"HTTP/1.1 403 Forbidden{"error_type":"UNAUTHORIZED","messages":[{"args":[],"default_message":"Permission to perform this operation was denied.","id":"com.vmware.vapi.authorization.permission.denied"}]} Performing the steps in the knowledge base article vCenter Server, ESXi and/or NSX are disconnected after a Cloud Director 10.1, 10.3 or 10.4 upgrade (78885) fail.
This error can occur if the vCenter Server user that Cloud Director is configured with does not have sufficient rights in vCenter to retrieve the certificates.For example the vCenter user's Role must include the Right Certificates > Manage certificates in order to perform the API call successfully.
To resolve the issue provide Cloud Director with a vCenter user with sufficient privileges, including the Right Certificates > Manage certificates.Typically Cloud Director would be provided with a vCenter user using an Administrator Role, for more information see Attach a vCenter Server Instance Alone or Together with an NSX Manager Instance.To verify outside of Cloud Director if the vCenter user has sufficient rights we can use curl to query the vCenter API. Login with the user that Cloud Director uses to connect to vCenter Server: curl -k -v -X POST https://vcenter.example.com/api/session -u "username@example.com" From the response take the vmware-api-session-id value returned, for example: vmware-api-session-id: <SESSION_UUID> Using this vmware-api-session-id, attempt to get the root certificate from he vCenter API: curl -k -v -X GET https://vcenter.example.com/api/vcenter/certificate-authority/get-root -H "vmware-api-session-id: <SESSION_UUID>" A successful attempt will return a 200 OK response and the VMCA certificate, for example: < HTTP/1.1 200 OK< date: Tue, 11 Oct 2022 09:35:47 GMT< content-type: application/json< x-envoy-upstream-service-time: 242< server: envoy< transfer-encoding: chunked<"-----BEGIN CERTIFICATE-----\nMIIEHTCCAwWgAwIBAgIJANAReKyitL0gMA0GCSqGSIb3DQEBCwUAMIGZMQswCQYD\nVQQDDAJDQTEXMBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJkiaJk/IsZAEZ\nFgVsb2NhbDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExGzAZBgNV\nBAoMEnZjc2ExLnZjbG91ZC5sb2NhbDEbMBkGA1UECwwSVk13YXJlIEVuZ2luZWVy\naW5nMB4XDTIyMDYwNjA4NDcyOVoXDTMyMDYwMzA4NDcyOVowgZkxCzAJBgNVBAMM\nAkNBMRcwFQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxv\nY2FsMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEbMBkGA1UECgwS\ndmNzYTEudmNsb3VkLmxvY2FsMRswGQYDVQQLDBJWTXdhcmUgRW5naW5lZXJpbmcw\nggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwFLSwAOggvXvExnRkvPpG\nx9w2stjOm4F0bVSabyi79Txacm2U2zuhOFeRCIDU3ZoRbVZRY7bjUizG1MaDBlE4\n2foxik9WCQv4HzFjkBQnp6cQUaxRRL7tXiFxSoO5KTxRUI4ltG6dSEjykMr6ZtpG\nDzmnuMynbAQji0ecjY8oWKrUHCC4UukAUidRC22AuibUQxwmkegIjVKPF/0Qr2Sa\npirUrUrss1eCO79lXUY7a+I4icTQdnTCTEwPg0omOhPS0Gn3OgYjXn/Hgb22oJZk\n/3N+XP4KuogxNKfRoMJeruxLtB3/+tev+Fwv1lTK/07Fhc2+s6UvknvqM+1CVm0N\nAgMBAAGjZjBkMB0GA1UdDgQWBBQeazPReF4zA8eGOHxk23z/iVCkbDAfBgNVHREE\nGDAWgQ5lbWFpbEBhY21lLmNvbYcEfwAAATAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0T\nAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsFAAOCAQEAS6BnxAaxKfKAGvG2SETh\n7vHu0VguHbGY6VduItGRc965xzoppKZB7iSFKsoOKcVsVyAX0LpxWhG+32ugpcPK\nJn21lyTSqHKun57zaG8DqC28BueSPoZJWqlWD3QBWVyq1mb5Km5NLu++Qa6xGeqT\nfEhjdc1K/qxx3iqJNmI3u+uxXG9vtmB08QkZ/2IigAOltLs6D89IfjGVK/UFayxO\nvdT4prH0lyaq6xws/MeEcmt8E19K6HhSQbXzVX9DQrTwUbBFoGqqbYd/hrQvA+ot\n2bd3R8QhI9I6tjKxZAcur9Qy9jDFnrzuyXLRNJoZ9bNQ2nlQ7bXeIzSk26xHSIih\nWQ==\n-----END CERTIFICATE-----\n"
For more information on trusting vCenter Server certificates in Cloud Director see the knowledge base article here, vCenter Server, ESXi and/or NSX are disconnected after a Cloud Director 10.1, 10.3 or 10.4 upgrade (78885).