Azure Endpoint configuration for vmware vRA/vRO Integration Error (Reason:’InternalError: com.vmware.o11n.plugins.configurator.util.CertificateException)

I am going to talk about an error (intriguing one) while configuring vRA/vRO Azure Endpoint. The intent of this blog is very specific to the error you get while configuring the Azure Endpoint.
You are integrating vRA/vRO with Azure Endpoint. You follow one of the below articles:

https://open902.com/vrealize-automation-7-2-azure-integration/
https://docs.vmware.com/en/vRealize-Automation/7.3/com.vmware.vra.prepare.use.doc/GUID-A6ECCAB3-AC4F-4543-99D8-4C43B9F00C57.html
http://www.vaficionado.com/2016/11/using-new-microsoft-azure-endpoint-vrealize-automation-7-2/

When you try to integrate vRA/vRO with Azure Endpoint you may get an error:
Unable to create a vCO endpoint of type ‘Azure’.
Reason:’InternalError: com.vmware.o11n.plugins.configurator.util.CertificateException: No certificates found for url
https://login.windows.net/ (Workflow:Import a certificate from URL using authenticated proxy server / Validate (item1)#12)’

image

You may come across this error when your vRO servers are behind a proxy server which is very likely in most of the scenarios. Following URLs are accessed by vRO while connecting to Azure.

https://login.windows.net
https://management.azure.com
Typical proxies usually will do SSL interception which will not work in this case. Therefore, ensure that you speak to your network team and ensure they disable proxy interception on the two URLs above.

Additionally, you must logon to VRO console and import the certs there as shown below for the url https://management.azure.com. This is a requirement.

image

image

This is how the imported cert will look like for https://management.azure.net

image

However, when you try to download the cert for https://login.windows.net it will not work. It will say no certs available.

Resolution:
a) Make sure SSL interception is disabled for https://login.windows.net or https://management.azure.com
b) Allow your proxy to connect vRA/vRO to port 80 or http://login.windows.net to download the cert. In our case we were using JBOSS EWS Forward proxy and I spoke to my colleague to allow port 80 for http://login.windows.net

That fixed the issue. Hope this helps you. If you have any feedback feel free to let me know.

Leave a Reply

Your email address will not be published. Required fields are marked *