I'm really confused here and don't know why I'm having these issues.
I've installed a fresh install of VCSA on a new server running ESXi 6.7u1
In the pre-production environment, this has worked fine. The appliance finished installing, I was able to connect over https and configure it.
However, on the production system, I just cannot figure out why it's not working.
The appliance deploys apparently OK with all the settings I supply in the scripts, but I cannot get to configure it.
netstat shows that none of the services are up and running.
Here's what I get when I try to start wami-lighttp:
root@vcsa [ /etc/sysconfig/network-scripts ]# service vami-lighttp status -l
* vami-lighttp.service - LSB: Lightning fast webserver with light system requirements
Loaded: loaded (/usr/lib/systemd/system/vami-lighttp.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2019-02-18 13:15:27 UTC; 4s ago
Process: 8195 ExecStop=/etc/rc.d/init.d/vami-lighttp stop (code=exited, status=0/SUCCESS)
Process: 8225 ExecStart=/etc/rc.d/init.d/vami-lighttp start (code=exited, status=0/SUCCESS)
Main PID: 8243 (vami-lighttpd)
Tasks: 1
Memory: 872.0K
CPU: 93ms
CGroup: /system.slice/vami-lighttp.service
+-8243 /opt/vmware/sbin/vami-lighttpd -f /opt/vmware/etc/lighttpd/lighttpd.conf
Feb 18 13:15:27 vcsa systemd[1]: Starting LSB: Lightning fast webserver with light system requirements...
Feb 18 13:15:27 vcsa vami-lighttp[8225]: Starting vami-lighttpd:Extracting SSL certificate from VECS
Feb 18 13:15:27 vcsa vami-lighttp[8225]: Error: Failed to open the store.
Feb 18 13:15:27 vcsa vami-lighttp[8225]: vecs-cli failed. Error 1021: Cannot connect to vmafd service.
Feb 18 13:15:27 vcsa vami-lighttp[8225]: Failed to retrieve certificate from VECS
Feb 18 13:15:27 vcsa vami-lighttp[8225]: 2019-02-18 13:15:27: (/build/mts/release/bora-9049398/studio/src/vami/apps/lighttpd/1.4.45/src/network.c.273) warning: please use server.use-ipv6 only for hostnames, not without server.bind / empty address; your config will break if the kernel default for IPV6_V6ONLY changes
Feb 18 13:15:27 vcsa vami-lighttp[8225]: [ OK ]
Feb 18 13:15:27 vcsa systemd[1]: Started LSB: Lightning fast webserver with light system requirements.
The network is operational, I can access VCSA via SSH once enabled via the console. Interestingly, I also see some corrupt / garbage info on the "View Support Information" page. Error Code : 1021 and SSL Thumbprint is corrupt.
I can't figure out why this is different and not working when the deployment ran smoothly on the pre-prodution test platform. I have FQDNs in place, a domain in place, forward and reverse lookup DNS is OK, etc.
I've searched quite a bit already, I've tried different versions of VCSA, tried ensuring IPv6 is enabled, having correct dates etc, but no joy.
Any ideas where to start?
This looks like a certificate issue.
Check out below article to verify certs manually :
If you resolve it by other option or way please update the thread .
regards
Gayathri
Thanks, although not sure I can access that. I need an RSA token ?!
Is that article available somewhere else?
This should be accessible
This explains about the vces-cli command utility in 6.5 : vecs-cli Command Reference
regards
Gayathri
Thanks, I'll look into it tomorrow.
But I can't help thinking it's an infrastructure issue somewhere as the mere out of box installation fails.
I wonder if it's a name or DNS thing as that's what generally causes certificate issues. But I have it set up the same way as on the test platform as far as I can tell and that's fine.
So it just doesn't make sense.
I can't run any of the vecs-cli commands as the vmafd service is unavailable.
There has to be something fundamentally wrong with the infrastructure / DNS / something. But I can't figure out why.
The VCSA has forward and reverse lookup DNS entries, it is reachable over the network (running IPv4 only, but I haven't disabled IPv6).
I'll carry on digging a bit, but it seems just super strange to fail right out of the box.
Hmm. Upon some further testing, I cannot authenticate with the certificate manager.
I have deployed VCSA again, ensuring I use a complex password for the SSO account.
When I launch certificate manager, using the default Administrator@vsphere.local username and using my pre-defined password during deployment, it says it's incorrect.
So can you please confirm that I should use the default "Administrator@vsphere.local" username ? If so, why would my password not be accepted?
Did you ever find a resolution to this?
I experiencing the same issue with VCSA 7.0.3.01000. Forward and Reverse DNS records are configured
Starting vami-lighttp.service...
Starting vami-lighttpd:Extracting SSL certificate from VECS
Error: Failed to open the store.
vecs-cli failed. Error 1021: Cannot connect to vmafd service.
Failed to retrieve certificate from VECS
2022-10-05 17:40:58: (/build/mts/release/bora-16973022/studio/src/vami/apps/lighttpd/src/network.c.27
Oct 0[ OK ]
Started vami-lighttp.service.
vCenter installation is a straightforward thing. There is nothing that can create a problem.
On the Internet try to find an example and it will guide you.
Maybe the wrong admin name, Are you trying to add vCenter to the AD during installation?