VMware Cloud Community
andreir
Enthusiast
Enthusiast
‎05-21-2020 11:31 AM
Jump to solution

New-ContentLibraryItem OVA import fails with "certificate is not trusted"

Hi all,

using VMware.PowerCLI Core 12.0.0.15947286 on Linux VM. Trying to import an item into vCenter content librarywhich fails with "The certificate is self-signed. The certificate is not trusted..". The certificate check is set to "Ignore" in PowerCLI configuration.

I don't see any options in New-ContentLibraryItem cmdlet to allow untrusted cert. How can I get the OVA imported when vCenter cert is self-signed? Thanks!

PS /home/user> $localContentLibrary = Get-ContentLibrary -Name 'Local library'

PS /home/user> New-ContentLibraryItem -ContentLibrary $localContentLibrary -Name 'nsx-unified-appliance-2.5.1.0.0.15314292' -Files "./tmp/nsx-unified-appliance-2.5.1.0.0.15314292.ova"

An error occurred while trying to update content library item's files. For more details check the inner exception.

vCenter error:

The import of library item 48d9ec5f-5fae-4905-adb1-2bbfa2d5aee1 has failed. Reason: The certificate is self-signed. The certificate is not trusted..

PS /home/user/tmp> Get-PowerCLIConfiguration | select  InvalidCertificateAction

InvalidCertificateAction

------------------------

                  Ignore

                  Ignore

Tags (1)
Reply
1 Solution

Accepted Solutions
LucD
Leadership
Leadership
‎05-21-2020 12:14 PM
Jump to solution

I would suggest to open an SR for this.
I agree that an official OVA should not contain self-signed certificates.

And yes, the option to bypass the certificate check is missing on the cmdlet.

I would suggest to launch an idea for this at VMware PowerCLI

In parallel inform your TSA


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

Reply
0 Kudos
4 Replies
LucD
Leadership
Leadership
‎05-21-2020 11:53 AM
Jump to solution

Are you sure this is caused by the vCenter certificate and not the certificate included In the OVF?

Can you import the same via the Web CLient without issue?

See also https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.vm_admin.doc/GUID-897EEEC2-B378-41A...


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
andreir
Enthusiast
Enthusiast
‎05-21-2020 12:08 PM
Jump to solution

Hi Luc,

just tried it with the Web Client and it looks like you're right - the problem is with the self-signed certificate bundled with the OVA. This is an official NSX-T OVA that I downloaded from VMware. If I click "Proceed Anyway" then it's imported successfully.

It looks like there is no functionality to ignore OVA certificate with "New-ContentLibraryItem"? Perhaps this can be added in the future?

pastedImage_0.png

Thank you!

Reply
0 Kudos
LucD
Leadership
Leadership
‎05-21-2020 12:14 PM
Jump to solution

I would suggest to open an SR for this.
I agree that an official OVA should not contain self-signed certificates.

And yes, the option to bypass the certificate check is missing on the cmdlet.

I would suggest to launch an idea for this at VMware PowerCLI

In parallel inform your TSA


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
andreir
Enthusiast
Enthusiast
‎05-21-2020 03:55 PM
Jump to solution

Just in case someone else hits this - until the cmdlet option is added, a solution is to unzip the ova, remove the .cert file, and import it as ovf.

Reply