rradek
Contributor
Contributor

VCF 4.2 Bring up of workload domain fails with Failed to import certificate

Hi

The bring up process of workload domain failed with the following error:

Message: Failed to import certificate in vCenter vi01-vc01.vcf.lab trusted root certificates

Remediation Message: Reference Token: DBVRVJ

Cause:  Type: org.springframework.web.client.HttpClientErrorException$Forbidden

Message: 403 Forbidden: [{"type":"com.vmware.vapi.std.errors.unauthorized","value":{"error_type":"UNAUTHORIZED","messages":[{"args":[],"default_message":"Permission to perform this operation was denied.","id":"com.vmware.vapi.authorization.permission.denied"}]}}]

This the error description from domainmanager.log:

__

2021-10-14T23:32:12.413+0000 DEBUG [vcf_dm,e469af24f0f51fdd,dfc8] [c.v.e.s.v.c.ImportTrustedRootCertificatesAction,dm-exec-9]  Adding certificates to vC vi01-vc01.vcf.lab trusted

 root certificates

2021-10-14T23:32:12.413+0000 DEBUG [vcf_dm,e469af24f0f51fdd,dfc8] [c.v.v.v.v.VcCertificateManagementServiceImpl,dm-exec-9]  Adding certificates to vCenter https://vi01-vc01.vcf.lab/rest trusted root chain

2021-10-14T23:32:12.547+0000 DEBUG [vcf_dm,e469af24f0f51fdd,dfc8] [c.v.vcf.vapi.vsphere.VapiRestClient,dm-exec-9]  Executing REST request: Type POST, URL https://vi01-vc01.vcf.lab/rest/vcenter/certificate-management/vcenter/trusted-root-chains

2021-10-14T23:32:12.581+0000 DEBUG [vcf_dm,e469af24f0f51fdd,dfc8] [c.v.vcf.vapi.vsphere.VapiRestClient,dm-exec-9]  Removing session to vCenter...

2021-10-14T23:32:12.582+0000 DEBUG [vcf_dm,e469af24f0f51fdd,dfc8] [c.v.vcf.vapi.vsphere.VapiRestClient,dm-exec-9]  Executing REST request: Type DELETE, URL https://vi01-vc01.vcf.lab/rest/com/vmware/cis/session

2021-10-14T23:32:12.585+0000 DEBUG [vcf_dm,e469af24f0f51fdd,dfc8] [c.v.vcf.vapi.vsphere.VapiRestClient,dm-exec-9]  Successfully executed REST request with body: , and received response wi

th body: null

2021-10-14T23:32:12.586+0000 ERROR [vcf_dm,e469af24f0f51fdd,dfc8] [c.v.e.s.o.model.error.ErrorFactory,dm-exec-9]  [DCPPFO] FAILED_TO_IMPORT_VC_TRUSTED_ROOT_CERTIFICATE Failed to import certificate in vCenter vi01-vc01.vcf.lab trusted root certificates

com.vmware.evo.sddc.orchestrator.exceptions.OrchTaskException: Failed to import certificate in vCenter vi01-vc01.vcf.lab trusted root certificates    at com.vmware.evo.sddc.vsphere.contract.ImportTrustedRootCertificatesAction.execute(ImportTrustedRootCertificatesAction.java:68)

        at com.vmware.evo.sddc.vsphere.contract.ImportTrustedRootCertificatesAction.execute(ImportTrustedRootCertificatesAction.java:36)

[..]

        at org.springframework.cloud.sleuth.instrument.async.TraceRunnable.run(TraceRunnable.java:67)

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

        at java.lang.Thread.run(Thread.java:748)

Caused by: org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden: [{"type":"com.vmware.vapi.std.errors.unauthorized","value":{"error_type":"UNAUTHORIZED","messa

ges":[{"args":[],"default_message":"Permission to perform this operation was denied.","id":"com.vmware.vapi.authorization.permission.denied"}]}}]

        at org.springframework.web.client.HttpClientErrorException.create(HttpClientErrorException.java:109)

        at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:184)

        at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:125)

        at org.springframework.web.client.ResponseErrorHandler.handleError(ResponseErrorHandler.java:63)

        at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:782)

----

Any suggestions how to fix it are really appreciated.

Thanks

Radek

Labels (1)
0 Kudos
1 Reply
viquarhcimca
Enthusiast
Enthusiast

on the ESXI and VC u will have one more SVC-xxx user name which will be created by SDDC Automation. Make sure that is having the Administrator permission. 

 

from the logs it looks permission issue . worth checking that user has Administrator permission. 

Thanks & Regards,

Mohammed Viquar Ahmed
0 Kudos