Avatar of snyderkv
snyderkv
 asked on

Certificate error adding host to vCenter

I removed from inventory two ESXi 6.7 hosts that I did a clean rebuild on from ISO. Same one we've been using for all our other sites. Only this time, the vCenter kicks up an error trying to add them. I confirmed DNS, time and domain name are all good to go.

A general system error occurred. SSL Exception: The remote host certificate has has these problems. Unable to get local issuer certificate.

It seems as this would be a vCenter issue as these are clean rebuilds.

Thanks in advance
* vmware vcenters* eSXI 6.7VMware

Avatar of undefined
Last Comment
tabale

8/22/2022 - Mon
Zaheer Iqbal

can you post the vpx log file please.

Murali Sripada

You might be unable to add a self-signed certificate to the ESXi trust store and fail to add an ESXi host to the vCenter Server system
The ESXi trust store contains a list of Certificate Authority (CA) certificates that are used to build the chain of trust when an ESXi host is the client in a TLS channel communication. The certificates in the trust store must be with a CA bit set: X509v3 Basic Constraints: CA: TRUE. If a certificate without this bit set is passed to the trust store, for example, a self-signed certificate, the certificate is rejected. As a result, you might fail to add an ESXi host to the vCenter Server system.

This issue is resolved in this release. The fix adds the advanced option Config.HostAgent.ssl.keyStore.allowSelfSigned. If you already face the issue, set this option to TRUE to add a self-signed server certificate to the ESXi trust store.

https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3-release-notes.html


I guess you might be hitting this issue in 6.7 update 3
snyderkv

ASKER
Yes I have 6.7U3 but I fixed the issue by going to advanced configurations in vCenter vpxd.certmgmt.mode and setting to thumbprint from custom. The advanced settings provided did not fix the issue. If anyone wants to input later be my guest.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER CERTIFIED SOLUTION
snyderkv

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
tabale

this worked for me "vpxd.certmgmt.mode and setting to thumbprint from custom." - thank-you.