I am receiving an error when uploading media into a catalog of any organization. This is across the board with any type of media that is uploaded (ovf, iso, etc). I only receive the error when uploading through my external DNS name. If i hit the web server by IP it works fine. I am using a signed wild-card certificate for both VMRC and HTTPS.
"Target SSL fingerprint mismatch detected (expected: [thumbprint], actual: )."
I have checked the SSL certs on my cells and everything is matching up correctly. ive looked in the logs but have ran out of places to look. Any assistance would be appreciated.
How are you load balancing your cells and are you doing ssl offload or just pass through?
i removed the load balancer and am doing a direct NAT to my primary cell at this point and am still receiving the error. I should also mention this was after upgrading to vCD 5.5.
Is your public/api url from general settings pointed at the primary cell or is it still pointed at the loadbalancer? I had a similar issue but it was a misconfiguration in my loadbalancer.
You might sniff the handshake to make sure it's doing what it's supposed to be. What are you using for loadbalancer/nat?
My API url points to my public DNS entry. This is the topology i have current.
[A Record] ---> [External NAT] ---> [CELL01 IP]
The NAT is being done by a Palo Networks appliance.
We have the same problem. Were you able to solve it and, if so, how did you do it?
Unfortunately at this point VMWare's support team has rolled this issue into a bug report. I will post back here once i receive a fix for the issue.
I bootet a Live Linux (Knoppix), tried to upload an ISO and got the following error message:
Server not specified: vcloud://?org=myOrg&media=something.iso&catalog=myOrg Catalog
Maybe this is a different issue but I don't think so. You see, if the plugin doesn't know where to connect to then there's no SSL connection and, therefore, no actual SSL fingerprint to be displayed.
Would it be possible for you to try the same?
I've heard word that one user was able to workaround the issue by connecting directly to the vCloud cell rather than use the Public Address. Could be worth trying in the interim while we figure it out.
Eric this is correct, you can connect directly to the IP address of your public or internal ip address of the cell or load balancer VIP. This is currently how we are working around the issue. As mentioned eariler in this thread it might be an issue with the Intergration plugin that is causing it as well. I will do my best to keep this thread updated with a fix as soon as it becomes available to me.
The URL of our vCloud deployment starts with "cloud", too. According to VMware support this is the problem. I hope they'll fix this soon.
Disable SSL Offload/Termination for the HTTPS load balancing pool, and ensure that all sessions from the same client system are routed to the same cell (route based on Source IP for example).
As the previous reply states, using SSL offloading with a valid public certificate and a self-signed certificate on the vCD node will case this.No need to disable SSL offloading, but it does kind of make it pointless. Routing sessions to the same vcd node should be used regardless of SSL offloading.
Attempting to upload a vApp or media file failed with the error
Target SSL fingerprint mismatch detected if the vCloud Director DNS name includes
cloud. This issue is resolved in vCloud Director 5.5.1.
I agree that using SSL offloading is definitely preferred. We are still looking into this, as it is a change in how the product works from the 5.1.x generation (and prior) to the 5.5.x generation.
What I would ask, that anyone seeing this problem file a support ticket. We can then use that do adjust the weight/priority to the issue internally.
Did this fix made it into the 5.6.3 vcloud for service providers?
Thanks for you prompt answer.
The text in the Public Address page is:
"If you specify an address in vCloud Director secure public URL, you must place the certificate chain for that address here.
The certificate chain must consist of zero or more PEM-encoded X.509 certificates."
However VCD expects the Certificate itself here and not the intermediate certificates. The word "chain" is confusing here.
At first I entered our intermediate certificates from Comodo here. And then the thumb-print mismatch error occurred.