2 Replies Latest reply on Jan 31, 2018 8:41 PM by DRAGONKZ

    Can't add ESXi host with "custom" certificate to existing vSAN cluster

    DRAGONKZ Novice

      I'm having issues adding a host with a "custom" certificate from my Windows PKI to an existing vSAN cluster.


      The background to the issue is as follows:


      I've had a vSAN environment with 4 hosts running with no problems for several months.


      I updated everything to the latest versions as of right now (ie, VCSA, ESXi, vSAN)


      I had no issues after doing this.


      A few days later I embarked on the journey of replacing all certificates using "custom" ones from my Windows PKI.


      All of the vCenter aspect seems to be fine, and the custom certificates are in use and in VECS.


      As soon as I replace the certificate on a host and it connects back to vCenter and my vSAN enabled cluster, all hell breaks loose!


      Essentially the vSAN health service dies (and all GUI vSAN options with it), and I can't exit the server from maintenance mode.


      Replacing the certificate back to the default self signed one goes back to everything being ok.


      I rebuilt the host and replaced the certificate before joining it back to vCenter, and the exact same problems occur.


      If I generate a self signed one it works happily.


      Are there any special requirements for vSAN when working with "custom" certificates?


      Any help appreciated!



        • 1. Re: Can't add ESXi host with "custom" certificate to existing vSAN cluster
          parmarr Expert
          Knowledge ChampionVMware Employees




          Found a known issue/incompatability on this in some cases. Still need more data on it though.



          From your description it loooks like some/all of the cert regen stuff has been done. But please try these steps to see if we can get your custom certs to play nice.



          Please try these steps and let us know if it works for your  environment:  To resolve this issue,






          Recreate new host certificates including Client & Server Authentication

          openssl x509 -in /etc/vmware/ssl/rui.crt  -inform pem -noout -text | grep "X509v3 Extended Key Usage" -A1




          Incorrect configuration returned:


          X509v3 Extended Key Usage:

               TLS Web Server Authentication



          The correct one is like below:



          X509v3 Extended Key Usage:

               TLS Web Server Authentication, TLS Web Client Authentication




          2. Fill castore.pem with intermediate & root CA certificate



          3. Restart vsanmgmtd on ESXi

          • 2. Re: Can't add ESXi host with "custom" certificate to existing vSAN cluster
            DRAGONKZ Novice

            Thanks for the reply!


            My certs were correct, but the castore.pem needed to be replaced with one that had my CAs in it, as you mentioned.


            After doing this I could enable the vSAN service when using custom certs on hosts.


            I find it odd that this is not documented anywhere in a KB?


            Thanks again!