Description
problem
Currently, the systemvms using the template (https://download.cloudstack.org/systemvm/4.20/systemvmtemplate-4.20.1-x86_64-vmware.ova ) and running on vmware 8u03 and Cloudstack 4.20.1 are not connecting to the management server, the agent state is not up
versions
Cloudstack: 4.20.1
Vmware: 8u03
systemvm template :
https://download.cloudstack.org/systemvm/4.20/systemvmtemplate-4.20.1-x86_64-vmware.ova
The steps to reproduce the bug
-
Create a clousstack (4.20.1) env with vmware 8u03
-
Observe the systemvm state , the agent state will not be up
-
Check the logs of the systemvm
logs
2025-06-23T06:50:39,496 INFO [utils.nio.NioClient] (Agent-Handler-2:[]) Connected to 10.0.35.27:8250
2025-06-23T06:50:39,497 INFO [utils.nio.Link] (Agent-Handler-2:[]) Conf file found: /usr/local/cloud/systemvm/conf/agent.properties
2025-06-23T06:50:39,754 ERROR [utils.nio.Link] (Agent-Handler-2:[]) SSL error caught during wrap data: No trusted certificate found, for local address=/10.0.43.213:44648, remote address=/10.0.35.27:8250.
2025-06-23T06:50:39,757 INFO [utils.nio.NioClient] (Agent-Handler-2:[]) SSL: Handshake done
2025-06-23T06:50:39,805 INFO [cloud.agent.Agent] (Agent-Handler-2:[]) Lost connection to host: 10.0.35.27. Attempting reconnection while we still have 0 commands in progress.
2025-06-23T06:50:39,810 INFO [utils.nio.NioClient] (Agent-Handler-2:[]) NioClient connection closed
2025-06-23T06:50:39,813 ERROR [utils.nio.Link] (Agent-Handler-2:[]) SSL error caught during wrap data: No trusted certificate found, for local address=/10.0.43.213:44640, remote address=/10.0.35.27:8250.
2025-06-23T06:50:39,814 INFO [utils.nio.NioClient] (Agent-Handler-2:[]) SSL: Handshake done
2025-06-23T06:50:39,822 WARN [cloud.agent.Agent] (Agent-Handler-1:[]) Unable to send request to /10.0.35.27:8250 due to 'null', request: null
2025-06-23T06:50:39,809 ERROR [utils.nio.NioClient] (Agent-Handler-2:[]) IOException while connecting to 10.0.35.27:8250 java.nio.channels.ClosedChannelException
at java.base/sun.nio.ch.SocketChannelImpl.ensureOpenAndConnected(SocketChannelImpl.java:215)
at java.base/sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:403)
at com.cloud.utils.nio.Link.doHandshakeUnwrap(Link.java:487)
at com.cloud.utils.nio.Link.doHandshake(Link.java:627)
at com.cloud.utils.nio.NioClient.init(NioClient.java:74)
at com.cloud.utils.nio.NioConnection.start(NioConnection.java:112)
at com.cloud.agent.Agent.reconnect(Agent.java:655)
at com.cloud.agent.Agent$ServerHandler.doTask(Agent.java:1233)
at com.cloud.utils.nio.Task.call(Task.java:83)
at com.cloud.utils.nio.Task.call(Task.java:29)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:840)
2025-06-23T06:50:39,851 ERROR [utils.nio.NioClient] (Agent-Handler-2:[]) Unable to initialize the threads. java.nio.channels.ClosedChannelException
What to do about it?
There should be no ssl related errors when using the systemvm template
https://download.cloudstack.org/systemvm/4.20/systemvmtemplate-4.20.1-x86_64-vmware.ova
As a workaround, execute the following command on the systemvm's to reimport cloud.ca.crt into cloud.jks -trustcacerts is removed from the keytool command, so cacerts will not be checked when import the ca cert
KS_FILE=/usr/local/cloud/systemvm/conf/cloud.jks KS_PASS=$(grep keystore.passphrase /usr/local/cloud/systemvm/conf/agent.properties |cut -d "=" -f2) keytool -import -noprompt -storepass "$KS_PASS" -alias "cloudca.1" -file "/usr/local/cloud/systemvm/conf/cloud.ca.crt" -keystore "$KS_FILE"