I have seen others talk about this issue but they never stated what resolved their problem.
Problem: When you do a connect.pl from the Perl utilities and get Error: Server version unavailable at 'https://asciesx1/sdk/vimService.wsdl'. If you do a wget it returns.
16:02:15 https://asciesx1/sdk/vimService.wsdl
Resolving asciesx1... 172.29.59.25
Connecting to asciesx1|172.29.59.25|:443... connected.
ERROR: cannot verify asciesx1's certificate, issued by `/C=US/ST=California/L=Palo Alto/O=VMware, Inc./emailAddress=ssl-certificates@vmware.com/OU=VMware ESX Server Certificate/CN=asciesx1/unstructuredName=1250522187,564d7761726520496e632e':
Self-signed certificate encountered.
To connect to asciesx1 insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
I have tried to configure openssl and give the ca certificate to the client machine so that it could use it for verifying. These are self-signed certificates.
Can you provide the exact command/syntax you're using to connect to either your ESX(i) or vCenter host? Where are you executing this from? vCLI on Windows/Linux or on vMA?
You should be doing something like the following (example using vMA 4.0):
[vi-admin@scofield ~]$ /usr/lib/vmware-vcli/apps/general/connect.pl --server himalaya.primp-industries.com --username root Enter password: Connection Successful Server Time : 2009-08-18T02:44:38.533958Z
=========================================================================
William Lam
VMware vExpert 2009
VMware ESX/ESXi scripts and resources at:
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".
I am using the vMA? I am under the directory general and executing the connect.pl. I am getting the above errors that point back to a problem with the self-signed ceritificates. I have verified the certificates are good by openssl verify <cerificate nane>. I believe that it is a configuration error. Not sure how openssl works with self-signed cerificates on the client side.
I am having the same issue with perl 5.12.3, compiled from source, installed in /usr/local on Mac OS X 10.6 (Snow Leopard).
$ sudo /usr/local/bin/perl /usr/local/bin/apps/general/connect.pl --server servername
$ curl -o - https://servername:443/sdk/vimService.wsdl
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
$ curl -ko - https://servername:443/sdk/vimService.wsdl
<?xml version="1.0" encoding="UTF-8" ?>
<!--
Copyright 2005-2010 VMware, Inc. All rights reserved.
-->
<definitions targetNamespace="urn:vim25Service"
xmlns="http://schemas.xmlsoap.org/wsdl/"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:interface="urn:vim25"
>
<import location="vim.wsdl" namespace="urn:vim25" />
<service name="VimService">
<port binding="interface:VimBinding" name="VimPort">
<soap:address location="https://localhost/sdk/vimService" />
</port>
</service>
</definitions>
I believe I ran into this before on the forums, but when using OpenSSL with C++ and gSoap.
Basically the self signed cert on an ESX host does not include the self-create CA certificate, so a strict certificate check will fail (for example, if you were to extract the certificate and do an openssl verify). However, this doesn't impede browsers and the SDK tool kits.
However, I am not seeing this issue with Perl 5.10. That error is going to be from either LibXML or Crypt::SSLeay. What versions of those are you running? It may be a bug in either of the two (though I'm guessing it may be LibXML).
I'm seeing this issue with Perl 5.10
I definitely think that newer versions of Crypt::SSLeay are more restrictive about ssl certs.
Unfortunately, that seems to make it impossible to use any of the cli tools without running older perl modules.
Crypt::SSLeay v0.85
So I double checked on my lab machine (OS 10.6.7)
Versions
Perl: 5.10.0
Crypt::SSLeay: 0.58
OpenSSL: 0.9.8l 5 Nov 2009
It's a fairly recent install of Snow Leopard. The only modification I had to make was to remove arch ppc from "/System/Library/Perl/5.10.0/darwin-thread-multi-2level/Config_heavy.pl". Looks like XCode 4 removed the assembler for ppc and it errored out when I tried to installed Crypt::SSLeay.
What I did differently is I download the Perl SDK. I then copy the VMware/share/VMware/* modules and put them into /System/Library/Perl/5.10.0/VMware.
I then installed Crypt::SSLeay using CPAN. I'm able to connect to vCenter and list out hosts in a test script.
There might be more going on than just the SSLeay module version.
Looks like I typoed my SSLeay version.
Full version list:
Perl 5.10.1
Crypt::SSLeay 0.58
OpenSSL 0.9.8k
FreeBSD 7.3
Could I get a copy of your test script, stumpr? I'm still waiting on access privileges to our local VMA instance, and would like to try something that at least works for someone else. I'm also waiting on my account getting some bits flipped, so I can file a support ticket about this (since vmware doesn't seem to follow the forums very well).
I did the VMWare perl modules using Makefile.PL. Everything else is pkg_add or perl -MCPAN.
It's a simple script, it really shouldn't have any impact on the testing. Any chance there is some network variable at cause, such as a https proxy?
use strict;
use warnings;
use VMware::VIRuntime;
Opts::parse();
Opts::validate();
Util::connect();
my $host_views = Vim::find_entity_views( view_type => "HostSystem", properties => [ 'name' ] );
foreach my $host ( @{$host_views} ) {
print $host->name . "\n";
}
Util::disconnect();
I needed to add:
$ENV{SSL_verify_mode} = 0x00;
Near the top of my script. After that, it's all working beautifully.
I think I have found a more simple solution for this:
# export PERL_LWP_SSL_VERIFY_HOSTNAME=0
This disables SSL checks.
Regards,
Rainer
Rainer wrote:
I think I have found a more simple solution for this:
# export PERL_LWP_SSL_VERIFY_HOSTNAME=0
@RockT:
THANKS THANKS THANKS !!!!!
You save my day!
Really!
That works like a charm 🙂
Thanks again!
Thomas
You're welcome, Thomas.
This is kinda insecure, isn't it 🙂
I'd prefer a method of saving the certificate locally and "trust" it (think firefox, IE, Chrome). So at least you know if it's been tampered with in transit.
How can this be done on a Windows machine with vCLI?