Packer: Vsphere postprocessor hangs on ssl fingerprint verification

Created on 16 Dec 2016 · 8Comments · Source: hashicorp/packer

Packer 0.12.0 on linux. Ovftools 4.10, vcenter 5.10

The postprocessor vsphere hangs forever without any message (even with PACKER_LOG=1)

   "post-processors": [{
    "type": "vsphere",
    "disk_mode": "thin",
    "host": "{{user `vcenter_host`}}",
    "datastore": "{{user `vcenter_datastore`}}",
    "username": "{{user `vcenter_username`}}",
    "password": "{{user `vcenter_password`}}",
    "vm_name": "{{ user `image_name` }}_template",
    "vm_network": "{{user `vcenter_network`}}",
    "cluster": "{{user `vcenter_cluster`}}",
    "datacenter": "{{user `vcenter_datacenter`}}",
    "overwrite": "true"
   },

I've tried to do the same operation directly with ovftools

/usr/lib/vmware-ovftool/ovftool --acceptAllEulas --name=mytemplate --datastore=myds --diskMode=thin --network=VM\ Network mytemplate.ova vi://me:password@myvcenter/mydatacenter/host/mycluster

Opening OVA source: mytemplate.ova
The manifest validates
Accept SSL fingerprint (AE:83:46:34:7F:DD:40:53:CB:69:B2:F4:15:2F:2C:0B:00:77:49:BD) for myvcenter as target type.
Fingerprint will be added to the known host file
Write 'yes' or 'no'

I've accepted with yes, it's worked. I've restarted packer build and the postprocessor doesn't hangs any more.

bug post-processovsphere

Source

marema31

All 8 comments

The VMware admins has renewed the SSL certificate and I encountered again this problem.

I found that ovftool relies on a file $HOME/.ovftool.ssldb that is updated when I launch the ovftool by hand

By example the fingerprint given by ovftool to be verified is AE:83:46:34:7F:DD:40:53:CB:69:B2:F4:15:2F:2C:0B:00:77:49:BD
and the $HOME/.ovftool.ssldb contains
myvcenterFQDN cert-sha1 roNGNH/dQFPLabL0FS8sCwB3Sb0=

I didn't find a way to verify the fingerprint against the content of the ovftool.ssldb file before starting packer.

The only workaround I have actually is to use the insecure option.

marema31 on 4 Jan 2017

👍1

Same problem that described in #2720

May be a first solution could be to add a note to the post-processor documentation to avoid people like me that re-opens a ticket.

marema31 on 10 Feb 2017

I have just encountered this as well with the exciting side effect of it using all available memory and hard locking the machine.

ryanwalder on 2 Feb 2018

This bug nailed me as well. It seems to happen once on any specific vCenter environment so it's especially painful for first-timers.

sbonds on 12 Apr 2018

I wonder if this problem goes away if you pass the --{source,dest}SSLThumbprint option to ovftool.

Definitely worth adding to the docs, but now that we know what's going on it seems like we have a few options

If passing the thumbprint explicitly solves this, it might be worth adding as a required field to the config (either pass thumbprint or use insecure?).

Otherwise, maybe we can catch the prompt and fail the build with a note to the user to ensure the key is valid.

mwhooker on 12 Apr 2018

You also could use "--noSSLVerify" to skip this verification.

bbabaaba on 20 Nov 2019

This was resolved in #7314 and released in Packer version 1.3.5. We also recently merged a PR that will improve the output so that the provisioner no longer hangs without providing any output.

SwampDragons on 29 Jul 2020

👍1

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.