Issue with installing on esxi 8

Question

Issue with installing on esxi 8

kylejericson opened this issue 2 years ago · 19 comments

kylejericson commented 2 years ago

I could just be dumb but I can't get this installed.

kylejericson commented 2 years ago

ok thanks

Answer 1 · 2023-01-18T16:06:16.000Z

I tried via ssh and same issue

Answer 2 · 2023-01-18T16:18:57.000Z

I guess this is installed by default on esxi 8 but it still seems to fail.

Answer 3 · 2023-01-18T19:36:23.000Z

Can you please check /var/log/syslog without grep?
Most likely there are error messages around these time frames that will provide insights into why cert retrieval didn't work.

Answer 4 · 2023-01-18T19:42:06.000Z

That is a lot logs what should I look for?

Answer 5 · 2023-01-18T19:43:05.000Z

I can get this far. I wonder why when it does a verify it looks at 127.0.0.1

Answer 6 · 2023-01-18T19:47:12.000Z

It's fine that it lists 127.0.0.1 but based on the output, which is unfortunately truncated in the screenshot, the acme_tiny.py script has thrown an exception. The lines immediately afterwards would be interesting...

Answer 7 · 2023-01-18T19:59:11.000Z

Is there a way I can DM you the full log?

Answer 8 · 2023-01-18T20:16:59.000Z

The issue is that the host is not Internet-reachable on port 80. After retrieving the certificate it will be served on port 443 but before obtaining that, Let's Encrypt performs the HTTP challenge on port 80. Also see here:

The HTTP-01 challenge can only be done on port 80. Allowing clients to specify arbitrary ports would make the challenge less secure, and so it is not allowed by the ACME standard.

Hence, please unblock port 80 in your firewall and try again

Answer 9 · 2023-01-18T20:21:25.000Z

Hmm, there may be a redirect happening to port 443 when Let's Encrypt requests the files, which would also need to be unblocked.

Answer 10 · 2023-01-18T20:24:36.000Z

No, the WAN side would need to be 443 to 443 as well because this is the standard port Let's Encrypt expects.

Answer 11 · 2023-01-18T20:25:07.000Z

ah so my rule on 443 is breaking this.

Answer 12 · 2023-01-18T20:31:36.000Z

Sorry new error

[root@vmhost:/usr/lib/vmware/hostd/docroot] /etc/init.d/w2c-letsencrypt start
Running 'start' action
Starting certificate renewal.
Existing cert for vmhost.mydomainname.com not issued by Let's Encrypt. Requesting a new one!
Serving HTTP on 0.0.0.0 port 8120 (http://0.0.0.0:8120/) ...
Parsing account key...
Parsing CSR...
Found domains: vmhost.mydomainname.com
Getting directory...
Traceback (most recent call last):
File "./acme_tiny.py", line 199, in
main(sys.argv[1:])
File "./acme_tiny.py", line 195, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port)
File "./acme_tiny.py", line 105, in get_crt
directory, _, _ = _do_request(directory_url, err_msg="Error getting directory")
File "./acme_tiny.py", line 46, in _do_request
raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
ValueError: Error getting directory:
Url: https://acme-v02.api.letsencrypt.org/directory
Data: None
Response Code: None
Response: <urlopen error [Errno 97] Address family not supported by protocol>
Certificate will not expire
Warning: No cert obtained from Let's Encrypt. Keeping the existing one as it is still valid.
usage: clusterAgent [-h] ACTION
clusterAgent: error: the following arguments are required: ACTION
usage: esxio-commd [-h] ACTION
esxio-commd: error: the following arguments are required: ACTION
logger: Invalid PID 'Usage: fsvmsockrelay '
logger: Invalid PID '{start|stop|status|restart} [--vmci VMCI_ID]'
usage: gpuManager [-h] ACTION
gpuManager: error: the following arguments are required: ACTION
hostd signalled.
watchdog-lsud[1060587]: Terminating watchdog process with PID 1060209
lsud stopped
lsud started
VMware HTTP reverse proxy signalled.
sfcbd-init[1060672]: args ('')
sfcbd-init[1060672]: Getting Exclusive access, please wait...
sfcbd-init[1060672]: Exclusive access granted.
sfcbd-init[1060683]: args ('ssl_reset')
sfcbd-init[1060683]: Getting Exclusive access, please wait...
sfcbd-init[1060683]: Exclusive access granted.
sfcbd-init[1060683]: sfcbd is not running.
logger: Invalid PID 'Usage: vdfsd '
logger: Invalid PID '{start|stop|status|restart|'
vpxa signalled.
vsanperfsvc is not running.
/etc/init.d/vvold ssl_reset, PID 1060794
vvold is not running.

Answer 13 · 2023-01-18T20:37:41.000Z

No clue, to be honest. I assume it's not a persistent error because in one of your previous screenshots #11 (comment), the connection to Let's Encrypt already worked. With the most recent error, obviously even the initial request fails.

You may either try to restart individual services like vxpa or try your luck with a reboot of the entire machine.

Answer 14 · 2023-01-18T20:51:26.000Z

Ok yeah getting this every time now.

[root@vmhost:~] /etc/init.d/w2c-letsencrypt start
Running 'start' action
Starting certificate renewal.
Existing cert for vmhost.mydomain.com not issued by Let's Encrypt. Requesting a new one!
Serving HTTP on 0.0.0.0 port 8120 (http://0.0.0.0:8120/) ...
Parsing account key...
Parsing CSR...
Found domains: vmhost.mydomain.com
Getting directory...
Traceback (most recent call last):
File "./acme_tiny.py", line 199, in
main(sys.argv[1:])
File "./acme_tiny.py", line 195, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port)
File "./acme_tiny.py", line 105, in get_crt
directory, _, _ = _do_request(directory_url, err_msg="Error getting directory")
File "./acme_tiny.py", line 46, in _do_request
raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
ValueError: Error getting directory:
Url: https://acme-v02.api.letsencrypt.org/directory
Data: None
Response Code: None
Response: <urlopen error [Errno 97] Address family not supported by protocol>
Certificate will not expire
Warning: No cert obtained from Let's Encrypt. Keeping the existing one as it is still valid.
usage: clusterAgent [-h] ACTION
clusterAgent: error: the following arguments are required: ACTION
usage: esxio-commd [-h] ACTION
esxio-commd: error: the following arguments are required: ACTION
logger: Invalid PID 'Usage: fsvmsockrelay '
logger: Invalid PID '{start|stop|status|restart} [--vmci VMCI_ID]'
usage: gpuManager [-h] ACTION
gpuManager: error: the following arguments are required: ACTION
hostd signalled.
watchdog-lsud[1052675]: Terminating watchdog process with PID 1052148
lsud stopped
lsud started
VMware HTTP reverse proxy signalled.
sfcbd-init[1052758]: args ('')
sfcbd-init[1052758]: Getting Exclusive access, please wait...
sfcbd-init[1052758]: Exclusive access granted.
sfcbd-init[1052769]: args ('ssl_reset')
sfcbd-init[1052769]: Getting Exclusive access, please wait...
sfcbd-init[1052769]: Exclusive access granted.
sfcbd-init[1052769]: sfcbd is not running.
logger: Invalid PID 'Usage: vdfsd '
logger: Invalid PID '{start|stop|status|restart|'
vpxa signalled.
vsanperfsvc is not running.
/etc/init.d/vvold ssl_reset, PID 1052880
vvold is not running.

Answer 15 · 2023-01-18T20:51:38.000Z

I've reboot and uninstall this and reinstalled.

Answer 16 · 2023-01-18T21:06:11.000Z

I'm pretty sure it's a networking-related issue and nothing specific to this project or VIB. My best guess would be that your recent firewall changes have blocked ESXi from reaching external hosts on port 443. This thought is based on the previous screenshot that showed that connections to Let's Encrypt worked. As only you are familiar with your environment and how it is setup, I doubt I provide you with any further helpful advice.

Answer 17 · 2023-01-18T23:18:04.000Z

Just an update I got this working!!

Answer 18 · 2023-01-18T23:20:07.000Z

Cool, glad to hear that 👍