Re: Web Client Plugin Deployment Failure for vSphe...

kimroz · ‎09-28-2016

Hi laurentsd‌

Plugin Registration Failure.

Issue: Registration of vSphere web client plugin with vCenter 6.5 Server failed to deploy with Error:

VcExtensionManager Downloading plugin package from https://198.18.3.218:8443/root/mypackage.zip (no proxy defined)

Note: the same registration process is working fine with vSphere 6.0 U2 for the said plugin.

vSphere Web Client Version: 6.5.0 Build 4240472

Steps Taken:

Register the plugin with vSphere vCenter server using extension manager API registerExtension()
Set the certificate thumbprint at the time of registration, the certificate is encrypted using SHA1 encryption.
The registration passed, and the plugin package is visible in the mob extension manager.
Re-login to vSphere web client, the package is not visible.
Virgo logs indicates that the download of the package failed with the error “Certificates does not conform to algorithm constraints”.

Please find the log snippet below:

[2016-09-27T07:24:04.577-07:00] [INFO ] vc-extensionmanager-pool-80 70000082 100007 200005 com.vmware.vise.vim.extension.VcExtensionManager Downloading plugin package from https://198.18.3.218:8443/root/mypackage.zip (no proxy defined)

[2016-09-27T07:24:04.599-07:00] [WARN ] vc-extensionmanager-pool-77 70000082 100007 200005 com.vmware.vise.extensionfw.impl.PackageManifestParser Plugin id mismatch between the registered extension key (com.vmware.vsan.health)

and the id specified in plugin-package.xml (com.vmware.vsphere.client.vsan). The registration id will be used but you should keep them in sync.

[2016-09-27T07:24:04.634-07:00] [ERROR] vc-extensionmanager-pool-80 70000082 100007 200005 com.vmware.vise.vim.extension.VcExtensionManager Package com.plugin.key was not installed!

Error downloading https://198.18.3.218:8443/root/mypackage.zip. Make sure that the URL is reachable then logout/login to force another download. javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints

at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)

at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)

at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)

at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)

at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)

at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)

at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)

at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1513)

at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)

at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)

at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)

at com.vmware.vise.util.http.ConnectionManager.connect(ConnectionManager.java:255)

at com.vmware.vise.util.http.SimpleHttpClient.connect(SimpleHttpClient.java:236)

at com.vmware.vise.util.http.SimpleHttpClient.executeMethodResponseAsStream(SimpleHttpClient.java:127)

at com.vmware.vise.vim.extension.VcExtensionManager.writePackageToFile(VcExtensionManager.java:940)

at com.vmware.vise.vim.extension.VcExtensionManager.downloadPackage(VcExtensionManager.java:889)

at com.vmware.vise.vim.extension.VcExtensionManager$2.call(VcExtensionManager.java:703)

at com.vmware.vise.vim.extension.VcExtensionManager$2.call(VcExtensionManager.java:694)

at java.util.concurrent.FutureTask.run(FutureTask.java:266)

at com.vmware.vise.util.concurrent.QueuingCachedThreadPool$QueueProcessor.run(QueuingCachedThreadPool.java:885)

at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)

at java.util.concurrent.FutureTask.run(FutureTask.java:266)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

at java.lang.Thread.run(Thread.java:745)

Caused by: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints

at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1055)

at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:981)

at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:923)

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)

... 27 common frames omitted

[2016-09-27T07:24:04.795-07:00] [INFO ] plugin-deploy11 70000082 100007 200005 com.vmware.vise.extensionfw.impl.PackagesDeployer Deploying plugin package 'com.vmware.vsan.health:6.5.0'.

[2016-09-27T07:24:04.795-07:00] [INFO ] plugin-deploy11 70000082 100007 200005 com.vmware.vise.extensionfw.impl.HotDeployBundleDeployer Copying using temp directory: C:\ProgramData\VMware\vCenterServer\runtime\vsphere-client\server\work\tmp, bundle: com.vmware.vsan.vmodl, to destination: C:\ProgramData\VMware\vCenterServer\runtime\vsphere-client\server\pickup\vsan-vmodl.jar

Query: is there any change in the vSphere plugin registration flow, specifically in terms of security/certificate.

abhishekdubey · ‎09-29-2016

I am also facing similar SSLHanddshake Issue with my plugin .

It seems there is some change in VC6.5 deployment procedure as everything works fine for the plugin till VC6

irahov · ‎09-29-2016

Suggestion:
Please try running the virgo with java 8.

Question:
How did you perform the registration? Is it your custom tool, did you use vim25.jar, which is the jre version on the machine used to run the registration?

Others:
Please try to avoid "Plugin id mismatch between the registered extension key
and the id specified in plugin-package.xml"

Please try to avoid "Plugin id mismatch between the registered extension key

and the id specified in plugin-package.xml"

abhishekdubey · ‎09-29-2016

Thanks for comments.

>>>>Please try running the virgo with java 8.

Can you be specific as we are trying on beta worsion of 6.5 not the development server.

>>>>>Please try to avoid "Plugin id mismatch between the registered extension key and the id specified in plugin-package.xml"

ID is same and interestingly similar extension is working fine with 6.0

_vladi_ · ‎10-05-2016

Hi,

>>>>>>>>Please try running the virgo with java 8.

>>>> Can you be specific as we are trying on beta worsion of 6.5 not the development server.

It is not clear which Web Client you are using: Flex or HTML? On the vCenter or local? Please set JAVA_HOME to refer to a Java 8 location and start the client.

Please also try out the new plugin registration tool which is part of the HTML Client SDK Fling and see if you get the same error.

Cheers,

Vladimir

abhishekdubey · ‎10-26-2016

Thanks

SreeSindhuSruth · ‎06-16-2017

Hi,

I m facing similar issue.

To register the plugin to VCSA 6.5- steps followed:

Run the script at the location :

html-client-sdk\tools\vCenter plugin registration\prebuilt\extension-registration by giving all the arguments required.

the package is available in extension manager.

the logs shows the following error:

vc-extensionmanager-pool-76 70000035 100004 200001 com.vmware.vise.extensionfw.ExtensionManager plugin-package.xml is missing here.

SreeSindhuSruth · ‎06-20-2017

The .zip file content was not as expected by the vsphere-client. Fixing the .zip file contents fixed this issue.

tganchev · ‎07-04-2017

What was the exact problem with the contents? From my experience Java, python and Unix zip library have problem dealing with newer versions of the zip format (as may be saved by versions of WinRAR, for example).

SreeSindhuSruth · ‎07-04-2017

Issue is fixed now tganchev.

Punitha22 · ‎01-16-2018

Hi laurentsd,

With sha-1 certificate the plugin downloads works fine for me but when the certificate is changed to sha-256, the plugin download fails with the below stack trace:

com.vmware.vise.vim.extension.VcExtensionManager Package com.abc.plugin was not installed. Error downloading https://abc.com/com.abc.plugin.zip. Make sure that the URL is reachable then logout/login to force another download. javax.net.ssl.SSLException: java.lang.reflect.UndeclaredThrowableException

at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)

at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)

at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1906)

at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1889)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1410)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)

at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)

at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)

at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1546)

at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)

at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)

at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)

at com.vmware.vise.util.http.ConnectionManager.connect(ConnectionManager.java:279)

at com.vmware.vise.util.http.SimpleHttpClient.connect(SimpleHttpClient.java:313)

at com.vmware.vise.util.http.SimpleHttpClient.executeMethodResponseAsStream(SimpleHttpClient.java:204)

at com.vmware.vise.vim.extension.VcExtensionManager.writePackageToFile(VcExtensionManager.java:1064)

at com.vmware.vise.vim.extension.VcExtensionManager.downloadPackage(VcExtensionManager.java:982)

at com.vmware.vise.vim.extension.VcExtensionManager$2.call(VcExtensionManager.java:750)

at com.vmware.vise.vim.extension.VcExtensionManager$2.call(VcExtensionManager.java:741)

at java.util.concurrent.FutureTask.run(FutureTask.java:266)

at com.vmware.vise.util.concurrent.QueuingCachedThreadPool$QueueProcessor.run(QueuingCachedThreadPool.java:897)

at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)

at java.util.concurrent.FutureTask.run(FutureTask.java:266)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

at java.lang.Thread.run(Thread.java:745)

Caused by: java.lang.reflect.UndeclaredThrowableException: null

at com.sun.proxy.$Proxy658.checkServerTrusted(Unknown Source)

at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:922)

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)

at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)

at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)

at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)

at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)

... 21 common frames omitted

Caused by: java.lang.reflect.InvocationTargetException: null

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

at com.vmware.vise.util.reflection.ProfilingInvocationHandler.invoke(ProfilingInvocationHandler.java:78)

... 30 common frames omitted

Caused by: com.vmware.vim.vmomi.client.exception.VlsiCertificateException: Server certificate chain is not trusted and thumbprint doesn't match

at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager.checkServerTrusted(ThumbprintTrustManager.java:183)

... 35 common frames omitted

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)

at sun.security.validator.Validator.validate(Validator.java:260)

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:105)

at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager.checkServerTrusted(ThumbprintTrustManager.java:171)

... 35 common frames omitted

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)

at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)

at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)

at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)

... 41 common frames omitted

Vcenter 6.5 and Web Client is HTML and JAVA_HOME set to Java 8

Thanks

laurentsd · ‎01-17-2018

> With sha-1 certificate the plugin downloads works fine for me but when the certificate is changed to sha-256, the plugin download fails

The doc says to use SHA1 thumbprints: VMware vSphere 6.5 Documentation Library

"

...

<url>https://myhost/helloworld-plugin.zip</url>

<label>Helloworld</label>

<summary>Helloworld sample plugin</summary>

</description>

<company>VMware</company>

3D:E7:9A:85:01:A9:76:DD:AC:5D:83:1C:0E:E0:3C:F6:E6:2F:A9:97

</serverThumbprint>

<type>HTTPS</type>

<adminEmail>your-email</adminEmail>

</server>

</extension>

"

All

Web Client Plugin Deployment Failure for vSphere 6.5