Search the VMware Knowledge Base (KB)
View by Article ID

VMware vSAN 6.x health plug-in fails to load with the error: Unexpected status code: 400 (2133384)

  • 3 Ratings

Symptoms

When running VMware vSAN 6.x with the vSAN health plug-in, you experience these symptoms:

  • The VMware vSAN health plug-in is not available in the vSphere Web Client.
  • In VMware vCenter Server Appliance (VCSA), installation of the plug-in using the command /usr/lib/vmware-vpx/vsan-health/health-rpm-post-install.sh completes and you see output similar to:

    2015-05-15T21:32:05.710Z   WARNING Value for install-parameter rhttpproxy.cert is empty
    Traceback (most recent call last):
     File "/usr/lib/vmware-vpx/firstboot/vsanhealth_firstboot.py", line 292, in Main
      res = vsanhealth_fb.get_rp_cert_info()
     File "/usr/lib/vmware/site-packages/cis/firstboot.py", line 185, in get_rp_cert_info
      thumbprint, ssl_trust, crt = get_certinfo(rp_cert_file)

     File "/usr/lib/vmware/site-packages/cis/tools.py", line 184, in get_certinfo
      f.readFile(cert_file)

     File "/usr/lib/vmware/site-packages/cis/utils.py", line 1028, in readFile
      loErrMsg = localizedString(errMsg, file_name, e)
    TypeError: localizedString() takes at most 2 arguments (3 given)
    2015-05-15T21:32:05.712Z   VSAN Health firstboot failed


    Notes:
    • In a Windows vCenter Server installation, you may see similar entries in the vSAN health log file (%VMWARE_LOG_DIR%/vsan-health/vmware-vsan-health-service.log).
    • The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

  • In the vmware-vsan-health-service.log file, you see this error repeatedly:

    Failed to log into VC, retrying in 10 seconds

    • In VCSA, the vmware-vsan-health-service.log file is located at /var/log/vmware/vsan-health/
    • In a Windows vCenter Server, installation the vmware-vsan-health-service.log file is located at %VMWARE_LOG_DIR%/vsan-health/

  • When you click the health section under Manage > Settings > vSAN > Health, you see this error in the vSphere Web Client:

    Unexpected status code: 400

  • No health plug-in information is present in the vSphere Web Client vSAN Health section, all fields are blank.

Cause

There are two potential causes for this issue, you may be affected by one or both of them. The issue occurs when:

  • The configured path for the reverse HTTP proxy cert (rhttpproxy.cert) is empty or missing. 
  • The proxy certificate files, rui.crt and rui.key, cannot be read by the vSAN health plug-in, which is running as a de-privileged user which does not have read access to the certificate files. This issue occurs on VCVA only.

    Note: This does not apply to Windows vCenter Server Installations.

Resolution

To diagnose and resolve this certificate issue, check the rhttpproxy.cert location using the install-parameter utility, correct the certificate path, resolve any file permission issues (VCSA only), and restart the vCenter Server or vCenter Server Appliance (VCSA). 

The steps to resolve this issue are different for vCenter Server Appliance and Windows vCenter Server. Follow the relevant section for the version of vCenter Server.

vCenter Server Appliance


To check and correct the path for rhttpproxy.cert and resolve any file permission issues in the vCenter Server Appliance (VCSA):

  1. Connect to the VCSA shell. For more information, see the Access the Appliance Shell section in the vCenter Server Appliance Configuration guide.
  2. Run this command to check the currently configured path for rhttpproxy.cert:

    /bin/install-parameter rhttpproxy.cert

    If the response is EMPTY, proceed with the steps 3 and 4. If the response is /etc/vmware-rhttpproxy/ssl/rui.crt proceed step 5.

  3. Run the install-parameter command to set the cert location:

    /bin/install-parameter rhttpproxy.cert -s /etc/vmware-rhttpproxy/ssl/rui.crt

  4. Run the install-parameter command again to confirm the change:

    /bin/install-parameter rhttpproxy.cert

    You see this output:

    /etc/vmware-rhttpproxy/ssl/rui.crt

  5. Check the file properties in the folder /etc/vmware-vpx/ssl/ using the ls -alFh command:

    vcva:/etc/vmware-vpx/ssl # ls -alFh
    total 28K
    drwxr-x--- 2 root cis 4.0K Sep 18 15:35 ./
    drwxr-xr-x 14 root root 4.0K Sep 18 16:28 ../
    -rw-r----- 1 root cis 3.0K Jun 15 16:53 rui.crt
    -rw-r----- 1 root cis 1.7K Jun 15 16:53 rui.key
    -rw------- 1 root root 65 May 30 19:55 symkey.dat
    -rw-r----- 1 root cis 2.9K Jun 15 16:53 vcsoluser.crt
    -rw-r----- 1 root cis 1.7K Jun 15 16:53 vcsoluser.key


    Verify if the certificate files rui.crtrui.keyvcsoluser.crt and vcsoluser.key files have a CHMOD value of 640 and the group owner is cis. If your file permissions match the output exactly proceed to step 8, If not, apply step 6 and 7.

  6. To correct the file permissions, run these commands within the /etc/vmware-vpx/ssl/ folder:

    chmod 640 rui.*
    chmod 640 vcsoluser.*
    chown root:cis rui.*
    chown root:cis vcsoluser.*


  7. Run the ls -alFh command on the /etc/vmware-vpx/ssl/ directory to confirm that the permissions are correctly configured.
  8. After ensuring that the permissions on the certificate files are correct, run this command to restart the health service install:

    /usr/lib/vmware-vpx/vsan-health/health-rpm-post-install.sh

    Note: The script prompts you to restart all the VCVA services. Enter Yes to confirm.

  9. When the script completes, restart the VCVA.

Windows vCenter Server


To check and correct the path for rhttpproxy.cert in a Windows vCenter Server installation:
  1. Connect to the Windows vCenter Server machine.
  2. Run this command to check the currently configured path for rhttpproxy.cert:

    %VMWARE_INSTALL_PARAMETER% rhttpproxy.cert

  3. Run the install-parameter command to set the cert location:

    %VMWARE_INSTALL_PARAMETER% rhttpproxy.cert -s %VMWARE_CFG_DIR%\vmware-rhttpproxy\ssl\rui.crt

  4. Run the install-parameter command again to confirm the change:

    %VMWARE_INSTALL_PARAMETER% rhttpproxy.cert

    You see output similar to:

    %VMWARE_CFG_DIR%\vmware-rhttpproxy\ssl\rui.crt

  5. Restart the vCenter Server services. For more information, see Stopping, starting, or restarting VMware vCenter Server services (1003895).

Additional Information

For more information about the vSAN Health Check plug-in, see the VMware vSAN Health Check Plugin Guide.

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 3 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 3 Ratings
Actions
KB: