Czernobog
Expert
Expert

vRA 8.2 - add cloud account (vCenter) by IP - no cert pop-up / add entry to /etc/hosts ?

Jump to solution

I need to add a new cloud account in Cloud Assembly, which is a vCenter that is in a DNS namespace that is isolated and cannot be reached using it's fqdn from the vRA appliance.

When adding the vCenter per IP I get the error:

Failed to validate credentials. AdapterReference: http://provisioning-service.prelude.svc.cluster.local:8282/provisioning/vsphere/endpoint-config-adap.... Error: Failed to connect to vCenter: Your certificate may be untrusted. To trust the certificate validate your account credentials and accept the untrusted certificate. Save your cloud account after validation succeeds. Error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (less)

I'd expect for a pop-up to appear which would let me accept the certificate, but it does not. Is there a workaround for this issue?

I also tried to create a host entry for the remote vCenter in /etc/hosts on the vRA appliance, but the entries are not recognized.

0 Kudos
1 Solution

Accepted Solutions
Czernobog
Expert
Expert

I found a workaround for adding a vCenter cloud account - I've added a DNS entry in the same namespace where vRA is, but pointing to the vCenter IP.

Afterwards I've added a cloud account using the new DNS hostname, which resulted in receiving a prompt where I had to accept the (self-signed) vCenter certificate. After accepting the certificate I have change the vCenter FQDN to IP address and the validation still worked. Lastly I have removed the aforementioned DNS entry, the cloud account is still accessible, hopefully permanent.

I have tried to do the same for the NSX-T cloud account, for the VIP and directly connecting to a manager as well - adding a DNS entry, accepting the certifiacate, but changing the target from FQDN to IP did not work, a proxy error is displayed. I will try it some more though.

 

I think, ultimately, that the error originates in the validation of the connection. where you actually can input the IP address of the target system but somehow the GUI bugs out and no certificate warning and acceptance prompt is displayed, like I have posted above.

View solution in original post

0 Kudos
4 Replies
gradinka
VMware Employee
VMware Employee

well you need the hostname, IP won't do

in this case you're most likely hitting cert error as the vCenter cert has the hostname in it, and not tje IP, and it won't validate.

try to workaround it somehow...

0 Kudos
Czernobog
Expert
Expert

Is it possible to set a host entry on the vRA appliance?

0 Kudos
Czernobog
Expert
Expert

This is the current, default config of nsswitch.conf?

 

cat /etc/nsswitch.conf
# Begin /etc/nsswitch.conf

passwd: files
group: files
shadow: files

hosts: files dns
networks: files

protocols: files
services: files
ethers: files
rpc: files
# End /etc/nsswitch.conf

 

This allows getent to resolve local hostnames, but host and nslookup use dns servers only afaik.

What utility does the application use? Is it at all possible to use local hostnames with vRA?

0 Kudos
Czernobog
Expert
Expert

I found a workaround for adding a vCenter cloud account - I've added a DNS entry in the same namespace where vRA is, but pointing to the vCenter IP.

Afterwards I've added a cloud account using the new DNS hostname, which resulted in receiving a prompt where I had to accept the (self-signed) vCenter certificate. After accepting the certificate I have change the vCenter FQDN to IP address and the validation still worked. Lastly I have removed the aforementioned DNS entry, the cloud account is still accessible, hopefully permanent.

I have tried to do the same for the NSX-T cloud account, for the VIP and directly connecting to a manager as well - adding a DNS entry, accepting the certifiacate, but changing the target from FQDN to IP did not work, a proxy error is displayed. I will try it some more though.

 

I think, ultimately, that the error originates in the validation of the connection. where you actually can input the IP address of the target system but somehow the GUI bugs out and no certificate warning and acceptance prompt is displayed, like I have posted above.

View solution in original post

0 Kudos