Afternoon,
I have a vRa/vCo setup that deploys Server 2012 R2 by building the VM, pre-provisioning its AD object, adding it to a collection in SCCM and then starting it. This will then run the Task Sequence to deploy the OS. This is working fine.
I want to install and configure the VRMGuestAgent to run some post SCCM deployment tasks. I'm calling it this as this is the folder name it needs to be installed to according to the document. I have version 6.2.2.4020.
I provision a new machine as above and then log in locally. I copy the VRMGuestAgent folder to the root of C:\ and run winservice.exe -i -h <FQDN of IAAS Server>:443 -p ssl to install the Service. I start the service and run doagentsvc.bat. This populates a 2KB cert.pem file eventually.
C:\VRMGuestAgent\axis2\logs\gugent-axis.log has the line:
[info] [ssl client] Client certificate chain filenot specified in it.
C:\VRMGuestAgent\GuestAgent.log repeats the two lines
Application.MachineQuery: [Information] uuid = 971e1e42-7d5b-d485-6341-06ae15cfce7c
Application: [Debug] Uninitializing subsystem: Logging Subsystem
I can run C:\VRMGuestAgent\bin>openssl.exe s_client -connect <FQDN of IAAS Server>:443 and get the two errors
verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate
IaaS is running on a windows server 2012 machine and the IIS website is for some reason secured by a self signed cert that looks like: IaaS-20150414113240. If I change the cert to one issued to the IaaS server by our CA infrastructure and run C:\VRMGuestAgent\bin>openssl.exe s_client -connect <FQDN of IAAS Server>:443 I still get errors. If I add the switch -CAfile and point to a root CA cert converted to .pem it validates everything successfully.
Either way, doagentsvc.bat has the line c:\VRMGuestAgent\DynamicOps.Agent.Guest.exe /host=<FQDN of IAAS Server>::443 /ssl /config=c:\VRMGuestAgent\gugent.properties /script=c:\VRMGuestAgent\site and this doesn't work as it never pulls down the workitem.xml file. I think its to do with the certificate chain error from gugent-axis.log.
I have:
opened firewall ports for 443. also testing on a network with no firewall
disabled tls 1.2 compliance on the IaaS server 2012 R2 box
Any ideas/guides on getting this working would be greatly appreciated
Cheers,
Rob.
I think you might need to install the cert chain in the template.
Had a similar issue before with IaaS self signed. Grabbing it and putting it in the trusted root store fixed the issue.
For your CA cert, your root cert needs to be in the template too..
Also, if you are switching IaaS certs you'll need to tell the other components about the change!
I replaced the self signed cert on the IIS website today with one generated from our CA. The Cert path goes root CA --> intermediate CA --> IAAS host.
The VRMGuestAgent now downloads a 3kb .pem file instead of a 2kb. file.
Openssl.exe s_client -connect <FQDN of IaaS server>:443 gives verify error:num=20:unable to get local issuer certificate now, and not 21. Still doesn't work though.
Not sure what else needs to be added to the certificate. We have a Server 2003 Intermediate (issuing) CA that is issuing the cert.
(I also ran the commands to update the other components and vRa is working as expected)
If your IaaS server is on Windows 2012 then you may need to disable TLS1.2 - you may have reviewed this already but in case you hadn't:
vCAC 6.0.x with Windows 2012 Guest Agent “stuck” Looping with “wait.vbs” script | Cloud Relevant
http://vmwarevcloudvirtualization.blogspot.ie/2014/04/vcac-agent-ssl-issue.html
Along with the info DonaIB mentioned about TLS 1.2 you will also need to get the VRMGuestAgent 6.2.3.1690. There is a known bug with the 6.2.2 VRMGuestAgent that causes this error and the version I have mentioned gets you past that issue.
Regards
Ant