VMware Cloud Community
jkuntztech
Contributor
Contributor

vCloud Media Upload Error: Thumbprint Mismatch

I am receiving an error when uploading media into a catalog of any organization. This is across the board with any type of media that is uploaded (ovf, iso, etc). I only receive the error when uploading through my external DNS name. If i hit the web server by IP it works fine. I am using a signed wild-card certificate for both VMRC and HTTPS.

"Target SSL fingerprint mismatch detected (expected: [thumbprint], actual: )."

I have checked the SSL certs on my cells and everything is matching up correctly. ive looked in the logs but have ran out of places to look. Any assistance would be appreciated.

Thanks!

Tags (1)
Reply
0 Kudos
20 Replies
tuzakey
Contributor
Contributor

How are you load balancing your cells and are you doing ssl offload or just pass through?

Reply
0 Kudos
jkuntztech
Contributor
Contributor

i removed the load balancer and am doing a direct NAT to my primary cell at this point and am still receiving the error. I should also mention this was after upgrading to vCD 5.5.

Reply
0 Kudos
tuzakey
Contributor
Contributor

Is your public/api url from general settings pointed at the primary cell or is it still pointed at the loadbalancer?  I had a similar issue but it was a misconfiguration in my loadbalancer.

You might sniff the handshake to make sure it's doing what it's supposed to be.  What are you using for loadbalancer/nat?

Reply
0 Kudos
jkuntztech
Contributor
Contributor

My API url points to my public DNS entry. This is the topology i have current.

[A Record] ---> [External NAT] ---> [CELL01 IP]

The NAT is being done by a Palo Networks appliance.

Reply
0 Kudos
IamTHEvilONE
Immortal
Immortal

-- removed

Reply
0 Kudos
MarioLenz
Contributor
Contributor

We have the same problem. Were you able to solve it and, if so, how did you do it?

Reply
0 Kudos
jkuntztech
Contributor
Contributor

Unfortunately at this point VMWare's support team has rolled this issue into a bug report. I will post back here once i receive a fix for the issue.

Reply
0 Kudos
MarioLenz
Contributor
Contributor

Hi!

I bootet a Live Linux (Knoppix), tried to upload an ISO and got the following error message:

Server not specified: vcloud://?org=myOrg&media=something.iso&catalog=myOrg Catalog

Maybe this is a different issue but I don't think so. You see, if the plugin doesn't know where to connect to then there's no SSL connection and, therefore, no actual SSL fingerprint to be displayed.

Would it be possible for you to try the same?

cu

   Mario

Reply
0 Kudos
admin
Immortal
Immortal

I've heard word that one user was able to workaround the issue by connecting directly to the vCloud cell rather than use the Public Address. Could be worth trying in the interim while we figure it out.

-Eric

jkuntztech
Contributor
Contributor

Eric this is correct, you can connect directly to the IP address of your public or internal ip address of the cell or load balancer VIP. This is currently how we are working around the issue. As mentioned eariler in this thread it might be an issue with the Intergration plugin that is causing it as well. I will do my best to keep this thread updated with a fix as soon as it becomes available to me.

Thanks,

Reply
0 Kudos
fert3
Contributor
Contributor

I have the same issue, can you confirm, that vcloud deployments starting with https://cloud

Reply
0 Kudos
MarioLenz
Contributor
Contributor

The URL of our vCloud deployment starts with "cloud", too. According to VMware support this is the problem. I hope they'll fix this soon.

/Mario

Reply
0 Kudos
IamTHEvilONE
Immortal
Immortal

Disable SSL Offload/Termination for the HTTPS load balancing pool, and ensure that all sessions from the same client system are routed to the same cell (route based on Source IP for example).

Reply
0 Kudos
Zimeon
Contributor
Contributor

As the previous reply states, using SSL offloading with a valid public certificate and a self-signed certificate on the vCD node will case this.No need to disable SSL offloading, but it does kind of make it pointless. Routing sessions to the same vcd node should be used regardless of SSL offloading.

Reply
0 Kudos
MarioLenz
Contributor
Contributor

Attempting to upload a vApp or media file failed with the error Target SSL fingerprint mismatch detected if the vCloud Director DNS name includes cloud. This issue is resolved in vCloud Director 5.5.1.

vCloud Director 5.5.1 Release Notes

Reply
0 Kudos
IamTHEvilONE
Immortal
Immortal

I agree that using SSL offloading is definitely preferred.  We are still looking into this, as it is a change in how the product works from the 5.1.x generation (and prior) to the 5.5.x generation.

What I would ask, that anyone seeing this problem file a support ticket.  We can then use that do adjust the weight/priority to the issue internally.

Reply
0 Kudos
crosdorff
Enthusiast
Enthusiast

Did this fix made it into the 5.6.3 vcloud for service providers?

Reply
0 Kudos
IamTHEvilONE
Immortal
Immortal

vCD 5.6.x does fix this via new code.

We offer the ability to put the Front End SSL Cert into the Public Addresses section, so that is where the thumbprint is gathered from (not the local cell).

Reply
0 Kudos
crosdorff
Enthusiast
Enthusiast

Thanks for you prompt answer.

The text in the Public Address page is:

"If you specify an address in vCloud Director secure public URL, you must place the certificate chain for that address here.

The certificate chain must consist of zero or more PEM-encoded X.509 certificates."

However VCD expects the Certificate itself here and not the intermediate certificates. The word "chain" is confusing here.

At first I entered our intermediate certificates from Comodo here. And then the thumb-print mismatch error occurred.

Reply
0 Kudos