VMware Cloud Community
jawei
Contributor
Contributor
‎07-28-2018 04:35 PM
Jump to solution

Could not read the OVF package certificate

I have successfully signed the OVF package with ovftool 4.2. The certificate was signed by a Root CA.

Now the problem is that vSphere Web Client runs into the following error during Deploy OVF Template.

Any help is greatly appreciated.

Screen Shot 2018-07-27 at 11.45.36 PM.png

1 Solution

Accepted Solutions
SupreetK
Commander
Commander
‎07-29-2018 06:08 AM
Jump to solution

Ahh Okay! There were a few similar issues reported with an Avaya appliance that was supposedly fixed in version 6.5. You may want to upgrade to 6.5 and give it a shot. However since it is working with the thick client, I don't think this is a show stopper Smiley Happy

Please consider marking this answer as "correct" or "helpful" if you think your questions have been answered.

Cheers,

Supreet

View solution in original post

0 Kudos
8 Replies
SupreetK
Commander
Commander
‎07-28-2018 06:16 PM
Jump to solution

Can you check and share the below details?

1) What is that you are trying to deploy?

2) What is the version of the ESXi host? If it is above 6.5 U1, try to deploy the OVF using the host client. If it is below 6.5 U1, try using the good old fat client.

3) If nothing works, you can use the OVF tool to deploy it from the command line. Detailed steps listed in the below blog -

https://cstan.io/?p=8972&lang=en

Please consider marking this answer as "correct" or "helpful" if you think your questions have been answered.

Cheers,

Supreet

0 Kudos
jawei
Contributor
Contributor
‎07-28-2018 08:40 PM
Jump to solution

1) I try to deploy a signed OVF that is created with ovftool on Ubuntu as follows:

administrator@csm-sj-alpha:~/ova/ubuntu/tmp$ ovftool --privateKey=csm-sj-alpha.cisco.com-26121.pem Ubuntu1642_CSM351.ovf signed-csm351.ovf

Opening OVF source: Ubuntu1642_CSM351.ovf

The manifest validates

Opening OVF target: signed-csm351.ovf

Writing OVF package: signed-csm351.ovf

Transfer Completed                   

Completed successfully

administrator@csm-sj-alpha:~/ova/ubuntu/tmp$ ls -tl

total 7098420

-rw-r--r-- 1 administrator administrator       3429 Jul 28 16:59 signed-csm351.cert

-rw-r--r-- 1 administrator administrator        191 Jul 28 16:59 signed-csm351.mf

-rw-r--r-- 1 administrator administrator 3634351104 Jul 28 16:59 signed-csm351-disk1.vmdk

-rw-r--r-- 1 administrator administrator       9363 Jul 28 16:59 signed-csm351.ovf

where csm-sj-alpha.cisco.com-26121.pem is a concatenation of private key, Certificate, Issing CA and Root CA.

2) Both ESXi and vCenter Server Appliance/vSphere Web Client are 5.5

Screen Shot 2018-07-28 at 8.25.19 PM.png

3) There is no error to deploy the signed OVF without vSphere Web Client. Only with vSphere Web Client the error occurs.

Is there any installation / configuration of the certificate on vCenter Server Appliance or vSphere Web Client?

If needed I can send you the pem file that is used to sign the OVF by ovftool in a private email.

I really appreciate it!

0 Kudos
SupreetK
Commander
Commander
‎07-29-2018 06:08 AM
Jump to solution

Ahh Okay! There were a few similar issues reported with an Avaya appliance that was supposedly fixed in version 6.5. You may want to upgrade to 6.5 and give it a shot. However since it is working with the thick client, I don't think this is a show stopper Smiley Happy

Please consider marking this answer as "correct" or "helpful" if you think your questions have been answered.

Cheers,

Supreet

0 Kudos
diegodco31
Leadership
Leadership
‎07-29-2018 08:01 AM
Jump to solution

look:

the ovf package is signed with an invalid certificate

Let us know if you fix your problem

Diego Oliveira
LinkedIn: http://www.linkedin.com/in/dcodiego
0 Kudos
msripada
Virtuoso
Virtuoso
‎07-30-2018 07:13 AM
Jump to solution

where csm-sj-alpha.cisco.com-26121.pem is a concatenation of private key, Certificate, Issing CA and Root CA.

Pem files should not have the private key.......

It should be certificate, issuing CA and root CA only

Thanks,

MS

0 Kudos
jawei
Contributor
Contributor
‎07-30-2018 11:09 PM
Jump to solution

Hi Supreet,

Yes, I was able to deploy the signed ovf with vSphere Web Client version 6.5. The same signed ovf doesn't work with version 5.5.

Screen Shot 2018-07-30 at 10.43.35 PM.png

I really appreciate your help!

-James

jawei
Contributor
Contributor
‎07-30-2018 11:18 PM
Jump to solution

Hi Diego,

Thank you for sharing the link! It does help to solve the problem.

There were two issues: (1) the signed ovf is not recognized by version 5.5 (2) the signed ova deployment in version 6.5 had an error.

Following the reply by Adolph1991,  I was able to deploy the VM by selecting 3 files (.mf/.ovf/.vmdk), while the ovf is signed.

Best,

-James

0 Kudos
jawei
Contributor
Contributor
‎07-30-2018 11:20 PM
Jump to solution

Hi MS,

Thank you for replying!

Normally the pem file does not include the private key. In the case as an input to ovftool, a pem with private key was required.

Best,

-James

0 Kudos