We help IT Professionals succeed at work.

Certificate error adding host to vCenter

snyderkv
snyderkv asked
on
Medium Priority
45 Views
Last Modified: 2020-03-02
I removed from inventory two ESXi 6.7 hosts that I did a clean rebuild on from ISO. Same one we've been using for all our other sites. Only this time, the vCenter kicks up an error trying to add them. I confirmed DNS, time and domain name are all good to go.

A general system error occurred. SSL Exception: The remote host certificate has has these problems. Unable to get local issuer certificate.

It seems as this would be a vCenter issue as these are clean rebuilds.

Thanks in advance
Comment
Watch Question

Zaheer IqbalTechnical Assurance & Implementation
CERTIFIED EXPERT

Commented:

can you post the vpx log file please.

Murali SripadaVMware Engineer | vExpert 18/19/20
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
You might be unable to add a self-signed certificate to the ESXi trust store and fail to add an ESXi host to the vCenter Server system
The ESXi trust store contains a list of Certificate Authority (CA) certificates that are used to build the chain of trust when an ESXi host is the client in a TLS channel communication. The certificates in the trust store must be with a CA bit set: X509v3 Basic Constraints: CA: TRUE. If a certificate without this bit set is passed to the trust store, for example, a self-signed certificate, the certificate is rejected. As a result, you might fail to add an ESXi host to the vCenter Server system.

This issue is resolved in this release. The fix adds the advanced option Config.HostAgent.ssl.keyStore.allowSelfSigned. If you already face the issue, set this option to TRUE to add a self-signed server certificate to the ESXi trust store.

https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3-release-notes.html


I guess you might be hitting this issue in 6.7 update 3

Author

Commented:
Yes I have 6.7U3 but I fixed the issue by going to advanced configurations in vCenter vpxd.certmgmt.mode and setting to thumbprint from custom. The advanced settings provided did not fix the issue. If anyone wants to input later be my guest.
Commented:
See the last post