Re: VCSA 6.7 installation problems

xavierwalker · ‎02-18-2019

I'm really confused here and don't know why I'm having these issues.

I've installed a fresh install of VCSA on a new server running ESXi 6.7u1

In the pre-production environment, this has worked fine. The appliance finished installing, I was able to connect over https and configure it.

However, on the production system, I just cannot figure out why it's not working.

The appliance deploys apparently OK with all the settings I supply in the scripts, but I cannot get to configure it.

netstat shows that none of the services are up and running.

Here's what I get when I try to start wami-lighttp:

root@vcsa [ /etc/sysconfig/network-scripts ]# service vami-lighttp status -l

* vami-lighttp.service - LSB: Lightning fast webserver with light system requirements

Loaded: loaded (/usr/lib/systemd/system/vami-lighttp.service; enabled; vendor preset: enabled)

Active: active (running) since Mon 2019-02-18 13:15:27 UTC; 4s ago

Process: 8195 ExecStop=/etc/rc.d/init.d/vami-lighttp stop (code=exited, status=0/SUCCESS)

Process: 8225 ExecStart=/etc/rc.d/init.d/vami-lighttp start (code=exited, status=0/SUCCESS)

Main PID: 8243 (vami-lighttpd)

Tasks: 1

Memory: 872.0K

CPU: 93ms

CGroup: /system.slice/vami-lighttp.service

+-8243 /opt/vmware/sbin/vami-lighttpd -f /opt/vmware/etc/lighttpd/lighttpd.conf

Feb 18 13:15:27 vcsa systemd[1]: Starting LSB: Lightning fast webserver with light system requirements...

Feb 18 13:15:27 vcsa vami-lighttp[8225]: Starting vami-lighttpd:Extracting SSL certificate from VECS

Feb 18 13:15:27 vcsa vami-lighttp[8225]: Error: Failed to open the store.

Feb 18 13:15:27 vcsa vami-lighttp[8225]: vecs-cli failed. Error 1021: Cannot connect to vmafd service.

Feb 18 13:15:27 vcsa vami-lighttp[8225]: Failed to retrieve certificate from VECS

Feb 18 13:15:27 vcsa vami-lighttp[8225]: 2019-02-18 13:15:27: (/build/mts/release/bora-9049398/studio/src/vami/apps/lighttpd/1.4.45/src/network.c.273) warning: please use server.use-ipv6 only for hostnames, not without server.bind / empty address; your config will break if the kernel default for IPV6_V6ONLY changes

Feb 18 13:15:27 vcsa vami-lighttp[8225]: [ OK ]

Feb 18 13:15:27 vcsa systemd[1]: Started LSB: Lightning fast webserver with light system requirements.

The network is operational, I can access VCSA via SSH once enabled via the console. Interestingly, I also see some corrupt / garbage info on the "View Support Information" page. Error Code : 1021 and SSL Thumbprint is corrupt.

I can't figure out why this is different and not working when the deployment ran smoothly on the pre-prodution test platform. I have FQDNs in place, a domain in place, forward and reverse lookup DNS is OK, etc.

I've searched quite a bit already, I've tried different versions of VCSA, tried ensuring IPv6 is enabled, having correct dates etc, but no joy.

Any ideas where to start?

GayathriS · ‎02-18-2019

This looks like a certificate issue.

Check out below article to verify certs manually :

https://ikb.vmware.com/s/article/2111411?lang=en_US#q=vecs-cli%20failed%20error%201021%20cannot%20co...

If you resolve it by other option or way please update the thread .

regards

Gayathri

xavierwalker · ‎02-18-2019

Thanks, although not sure I can access that. I need an RSA token ?!

Is that article available somewhere else?

GayathriS · ‎02-18-2019

VMware Knowledge Base

This should be accessible

This explains about the vces-cli command utility in 6.5 : vecs-cli Command Reference

regards

Gayathri

xavierwalker · ‎02-18-2019

Thanks, I'll look into it tomorrow.

But I can't help thinking it's an infrastructure issue somewhere as the mere out of box installation fails.

I wonder if it's a name or DNS thing as that's what generally causes certificate issues. But I have it set up the same way as on the test platform as far as I can tell and that's fine.

So it just doesn't make sense.

xavierwalker · ‎02-20-2019

I can't run any of the vecs-cli commands as the vmafd service is unavailable.

There has to be something fundamentally wrong with the infrastructure / DNS / something. But I can't figure out why.

The VCSA has forward and reverse lookup DNS entries, it is reachable over the network (running IPv4 only, but I haven't disabled IPv6).

I'll carry on digging a bit, but it seems just super strange to fail right out of the box.

xavierwalker · ‎02-20-2019

Hmm. Upon some further testing, I cannot authenticate with the certificate manager.

I have deployed VCSA again, ensuring I use a complex password for the SSO account.

When I launch certificate manager, using the default Administrator@vsphere.local username and using my pre-defined password during deployment, it says it's incorrect.

So can you please confirm that I should use the default "Administrator@vsphere.local" username ? If so, why would my password not be accepted?

socaldave · ‎10-05-2022

Did you ever find a resolution to this?

I experiencing the same issue with VCSA 7.0.3.01000. Forward and Reverse DNS records are configured

Starting vami-lighttp.service...
Starting vami-lighttpd:Extracting SSL certificate from VECS
Error: Failed to open the store.
vecs-cli failed. Error 1021: Cannot connect to vmafd service.
Failed to retrieve certificate from VECS
2022-10-05 17:40:58: (/build/mts/release/bora-16973022/studio/src/vami/apps/lighttpd/src/network.c.27
Oct 0[ OK ]
Started vami-lighttp.service.

maksym007 · ‎10-06-2022

vCenter installation is a straightforward thing. There is nothing that can create a problem.

On the Internet try to find an example and it will guide you.

Maybe the wrong admin name, Are you trying to add vCenter to the AD during installation?

All

VCSA 6.7 installation problems