vCenter OVF Deployment Fails Access-Control-Allow-Origin Header Error

*** VMware Update ***

This issue has been reported to engineering. They are currently working on it and have scheduled the fix for 6.5 u2 which has been scheduled for release in Q2


We’ve been having some fun deploying OVF files to our VMware vCenter appliance environment lately. Historically this has worked just fine but following recent updates we haven’t been able to which has really been a pain and delayed some projects.
I decided to look more deeply into the issue as I really needed to deploy a new appliance image, it’s amazing what a deadline does to encourage troubleshooting!

Problem

The issue we face presents itself during the OVF deployment process, when the wizard attempts to validate the target host it takes a few moments then presents an error message. As you can see below, this message provides a KB article and suggests it could be related to certificates.

vCenter OVF Deployment Error KB2147256

I am a real stickler for good certificate deployment/practice so I found this hard to believe. I validated the certificates and found no issues with everything being valid and trusted.

vCenter OVF Deployment Certificate OK

Having done that I moved on to checking the certificates on all my hosts and found them to be valid. In my mind at this point certificate issues were ruled out so I figured it has to be something else. I had tested deployment in IE, Chrome and Firefox and each failed at the same point so I felt it wasn’t a browser specific issue.
Google Chrome has great developer tools built in to the browser, pressing F12 opens the console and you can then select whichever tool is appropriate. In this case I just wanted to view the Console menu. I went through the deployment process and kept an eye on the errors/warnings displayed and immediately on attempting to validate the hosts/cluster the error below was presented.

vCenter OVF Deployment Google Chrome Developer Tools Console Errors

This leapt out at me, I’ve done work on my website to implement various security headers and Content Security Policies (CSP) so it seemed likely I had found the problem. The next step was to disable the header checking in Chrome temporarily and re-run the deployment to see if I was right. To disable the protection settings and test my theory I used the launch options below, obviously you need to amend the path to reflect your Chome installation.

Note that you should be careful when leveraging advanced launch options, especially these which alter security!

Chrome Warning - You are using an unsupported command-line flag --disable-web-security. Stability and security will suffer

If you’re curious the two launch option descriptions state –

    • Don’t enforce the same-origin policy. (Used by people testing their sites.)
    • Directory where the browser stores the user profile

Success! With everything temporarily turned off the process completed without any errors. It would seem that the vCenter web interface is not setting the ‘Access-Control-Allow-Origin’ header correctly. It’s interesting that the console errors mention both the FQDN and the hostname for the vCenter website, I tried both and neither worked without making the launch option change.

I have a case opened with VMware to try to get to the bottom of this, fingers crossed they provide some good feedback and I can update this post or write a new one detailing the findings. For the moment we continue to use the Chrome launch option workaround whenever the need to deploy an OVF arises.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.