VMware vCenter Orchestrator (vCO) installation ‘gotchas’

I needed a portable vCO lab environment, so I quickly installed the vCenter Server appliance, a ESXi host and the vCO appliance (5.5.2) on top of my notebook with VMware workstation.
For different reasons (mostly releated to my small lab setup) I had a bunch of problems during the setup of the vCO appliance, which I thought would be worth writing down.


1. DNS, DNS, DNS!
Durring the deployment of the vCO appliance OVF template I got the error ‘A connection error occurred. Verify that your computer can connect to vCenter Server’.
01_ovf_deployment
In a production environment of course you (should!) have a prober DNS service in place to resolve FQDNs forward & backwards. Even in a good lab you normally have an AD/DNS server in place.
As I didn´t had much time and limited resources on my notebook I just manipulated the local host files to map the three IP addresses to the related FQDN.

Long story short: If you are using the web client make sure that your local PC / notebook is also able to resolve the DNS names of the vCenter server and the ESXi hosts for a successful OVF deployment.

While the error above is not vCO specific, you will need also a prober DNS resolution for the vCO configuration itself.

Note: Using the C# client doesn´t require the resolution of the vCenter FQDN for a OVF deployment by the way.

2. SSL Certificate & Hostname
The following should be especially relate to the VCSA, if it was setup without OVF properties (in case of an installation on top of VMware Workstation for example), but can also occur if the vCenter hostname was changed after the installation.
While I tried to configure SSO as authentication source, I got the error: ‘The SSL certificate is unknown. You can correct this from the SSL Certificate tab.

02_ssl_error

In a previous step, I already imported the SSL certificate from the vCenter server. Below the SSL Certificate tab, I quickly noticed that the common name within the certificate was set to ‘localhost.localdom’.

03_ssl_localname_trust_manager
04_ssl_browser
A look into the web browser while navigating to the vSphere web client also showed me this entry in the certificate.

The reason for that is that the VCSA is generating the SSL certificates prior any manual modification to the default setting (and the default hostname is localhost.localdom).
05_vcsa_regenerate_ssl
To generate a new certificate you need to navigate to the VCSA admin portal, where you find the option ‘Certificate regeneration enabled’, which you need to set (temporary) to ‘Yes’. During the next reboot, the VCSA is now generating new certificates.

Within vCO you now need to reimport the certificate, which now shows the correct FQDN as common name.

06_new_cert_imported

The old certificate can be deleted for sure.

3. Time synchronization
After I fixed the SSL problem I just described I got the next error message: ‘Server returned ‘request expired’ less than 0 seconds after request was issued, but it shouldn´t have expired for at least 600 seconds.‘, which prevented me from connecting vCO and SSO.

07_time_error1
For whatever reason the ESXi host and the vCenter server had a time difference of 1 hour after the initial deployment. The vCO appliance was deployed on the nested ESXi host, so it´s time was the same as the ESXi time.
This turned out to be the problem. After I had the same time on all my server the error message disappeared and I finally was able to register SSO.

4. Restart vCO service
During the installation I had several other strange behaviors like the error message ‘Current node is not ACTIVE’ when I tried to login to the vCO client or just that the web server didn´t response to port 8281. 08_node_not_active
09_restart_service
It seems to be a good idea in such cases to restart the service of the vCO server via the configuration portal.
Also a restart of the service is required after you made some configuration changes like setting another SSO group etc.

Comments

  1. Really appreciate it. I ran into the 3rd issue even after configured ntp server for esxi hosts and I was able to register SSO after rebooting the esxi hosts. Thanks again!

    John.

Speak Your Mind

*