vCenter OVF Deployment Fails Access-Control-Allow-Origin Header Error

*** VMware Update ***

This issue has been reported to engineering. They are currently working on it and have scheduled the fix for 6.5 u2 which has been scheduled for release in Q2


We’ve been having some fun deploying OVF files to our VMware vCenter appliance environment lately. Historically this has worked just fine but following recent updates we haven’t been able to which has really been a pain and delayed some projects.
I decided to look more deeply into the issue as I really needed to deploy a new appliance image, it’s amazing what a deadline does to encourage troubleshooting!

Problem

The issue we face presents itself during the OVF deployment process, when the wizard attempts to validate the target host it takes a few moments then presents an error message. As you can see below, this message provides a KB article and suggests it could be related to certificates.

vCenter OVF Deployment Error KB2147256

I am a real stickler for good certificate deployment/practice so I found this hard to believe. I validated the certificates and found no issues with everything being valid and trusted.

vCenter OVF Deployment Certificate OK

Having done that I moved on to checking the certificates on all my hosts and found them to be valid. In my mind at this point certificate issues were ruled out so I figured it has to be something else. I had tested deployment in IE, Chrome and Firefox and each failed at the same point so I felt it wasn’t a browser specific issue.
Google Chrome has great developer tools built in to the browser, pressing F12 opens the console and you can then select whichever tool is appropriate. In this case I just wanted to view the Console menu. I went through the deployment process and kept an eye on the errors/warnings displayed and immediately on attempting to validate the hosts/cluster the error below was presented.

vCenter OVF Deployment Google Chrome Developer Tools Console Errors

jsplugin_main.js:30 Connected JS Plugin
jsplugin_ovamapper.js:106 name = 'VMware-NSX-Manager-6.4.0-7564187.ovf'
jsplugin_ovamapper.js:124 size = 238535
jsplugin_ovamapper.js:198 OVF file extracted: VMware-NSX-Manager-6.4.0-7564187.ovf size is: 238535
jsplugin_ovamapper.js:106 name = 'VMware-NSX-Manager-6.4.0-7564187.mf'
jsplugin_ovamapper.js:124 size = 177
jsplugin_ovamapper.js:211 other file extracted: VMware-NSX-Manager-6.4.0-7564187.mf size is: 177
jsplugin_ovamapper.js:106 name = 'VMware-NSX-Manager-6.4.0-7564187.cert'
jsplugin_ovamapper.js:124 size = 1931
jsplugin_ovamapper.js:207 certificate file extracted: VMware-NSX-Manager-6.4.0-7564187.cert size is 1931
jsplugin_ovamapper.js:106 name = 'VMware-NSX-Manager-6.4.0-7564187-disk1.vmdk'
jsplugin_ovamapper.js:124 size = 2681986048
jsplugin_ovamapper.js:201 VMDK file extracted: VMware-NSX-Manager-6.4.0-7564187-disk1.vmdk size is: 2681986048
jsplugin_utils.js:211 Starting upload to https://BSA-VC.ad.bytesizedalex.com:443/cls/data/186fc1e0-939b-473c-8b41-6bf0fbca0f59/descriptor.mf
jsplugin_utils.js:211 Starting upload to https://BSA-VC.ad.bytesizedalex.com:443/cls/data/186fc1e0-939b-473c-8b41-6bf0fbca0f59/descriptor.ovf
jsplugin_utils.js:211 Starting upload to https://BSA-VC.ad.bytesizedalex.com:443/cls/data/186fc1e0-939b-473c-8b41-6bf0fbca0f59/descriptor.cert
VM175:1 Failed to load https://BSA-VC.ad.bytesizedalex.com/cls/data/186fc1e0-939b-473c-8b41-6bf0fbca0f59/descriptor.mf: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://bsa-vc' is therefore not allowed access.
jsplugin_utils.js:228 An error occurred while transferring to https://BSA-VC.ad.bytesizedalex.com:443/cls/data/186fc1e0-939b-473c-8b41-6bf0fbca0f59/descriptor.mf
onUploadError @ jsplugin_utils.js:228
VM175:1 Failed to load https://BSA-VC.ad.bytesizedalex.com/cls/data/186fc1e0-939b-473c-8b41-6bf0fbca0f59/descriptor.cert: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://bsa-vc' is therefore not allowed access.
jsplugin_utils.js:228 An error occurred while transferring to https://BSA-VC.ad.bytesizedalex.com:443/cls/data/186fc1e0-939b-473c-8b41-6bf0fbca0f59/descriptor.cert
onUploadError @ jsplugin_utils.js:228
VM175:1 Failed to load https://BSA-VC.ad.bytesizedalex.com/cls/data/186fc1e0-939b-473c-8b41-6bf0fbca0f59/descriptor.ovf: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://bsa-vc' is therefore not allowed access.
jsplugin_utils.js:228 An error occurred while transferring to https://BSA-VC.ad.bytesizedalex.com:443/cls/data/186fc1e0-939b-473c-8b41-6bf0fbca0f59/descriptor.ovf

This leapt out at me, I’ve done work on my website to implement various security headers and Content Security Policies (CSP) so it seemed likely I had found the problem. The next step was to disable the header checking in Chrome temporarily and re-run the deployment to see if I was right. To disable the protection settings and test my theory I used the launch options below, obviously you need to amend the path to reflect your Chome installation.

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" chromium-browser --disable-web-security --user-data-dir

Note that you should be careful when leveraging advanced launch options, especially these which alter security!

Chrome Warning - You are using an unsupported command-line flag --disable-web-security. Stability and security will suffer

If you’re curious the two launch option descriptions state –

  • --disable-web-security
    • Don’t enforce the same-origin policy. (Used by people testing their sites.)
  • --user-data-dir
    • Directory where the browser stores the user profile

Success! With everything temporarily turned off the process completed without any errors. It would seem that the vCenter web interface is not setting the ‘Access-Control-Allow-Origin’ header correctly. It’s interesting that the console errors mention both the FQDN and the hostname for the vCenter website, I tried both and neither worked without making the launch option change.

I have a case opened with VMware to try to get to the bottom of this, fingers crossed they provide some good feedback and I can update this post or write a new one detailing the findings. For the moment we continue to use the Chrome launch option workaround whenever the need to deploy an OVF arises.

2 thoughts on “vCenter OVF Deployment Fails Access-Control-Allow-Origin Header Error”

    • Hi Ben,

      Glad to hear this helped, I had to spend an hour or two explaining the problem and solution to VMware support. Sadly I have no further update from them and I’ve since moved jobs to another company so don’t have access to that ticket. I would have hoped a fix was out by now for this though!

      Reply

Leave a Reply to Alex BytesCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.