Link to home
Start Free TrialLog in
Avatar of snyderkv
snyderkv

asked on

Certificate error adding host to vCenter

I removed from inventory two ESXi 6.7 hosts that I did a clean rebuild on from ISO. Same one we've been using for all our other sites. Only this time, the vCenter kicks up an error trying to add them. I confirmed DNS, time and domain name are all good to go.

A general system error occurred. SSL Exception: The remote host certificate has has these problems. Unable to get local issuer certificate.

It seems as this would be a vCenter issue as these are clean rebuilds.

Thanks in advance
Avatar of Zaheer Iqbal
Zaheer Iqbal
Flag of United Kingdom of Great Britain and Northern Ireland image

can you post the vpx log file please.

Avatar of Murali Sripada
Murali Sripada

You might be unable to add a self-signed certificate to the ESXi trust store and fail to add an ESXi host to the vCenter Server system
The ESXi trust store contains a list of Certificate Authority (CA) certificates that are used to build the chain of trust when an ESXi host is the client in a TLS channel communication. The certificates in the trust store must be with a CA bit set: X509v3 Basic Constraints: CA: TRUE. If a certificate without this bit set is passed to the trust store, for example, a self-signed certificate, the certificate is rejected. As a result, you might fail to add an ESXi host to the vCenter Server system.

This issue is resolved in this release. The fix adds the advanced option Config.HostAgent.ssl.keyStore.allowSelfSigned. If you already face the issue, set this option to TRUE to add a self-signed server certificate to the ESXi trust store.

https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3-release-notes.html


I guess you might be hitting this issue in 6.7 update 3
Avatar of snyderkv

ASKER

Yes I have 6.7U3 but I fixed the issue by going to advanced configurations in vCenter vpxd.certmgmt.mode and setting to thumbprint from custom. The advanced settings provided did not fix the issue. If anyone wants to input later be my guest.
ASKER CERTIFIED SOLUTION
Avatar of snyderkv
snyderkv

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
this worked for me "vpxd.certmgmt.mode and setting to thumbprint from custom." - thank-you.