1 2 Previous Next 27 Replies Latest reply on Nov 6, 2019 12:32 PM by vmwaresucksatrestarting Go to original post
      • 15. Re: Can't add ESX 6.0 host to vCenter 6.0 Server
        COS Master

        Telnet connects and my cursor goes to the top left and blonks? Good? Bad? I'm not sure......lol

         

        I don't quite understand how to "try openssl to check the SSL connection".

        Can you elaborate?

         

        Thanks

        • 16. Re: Can't add ESX 6.0 host to vCenter 6.0 Server
          bharathl Enthusiast

          Yes telnet is good and connected to 443. I have installed openssl and from the command prompt I ran the following commands to check the SSL certificate on the other machine.

           

          openssl s_client -connect bharath-pc:443 -ssl3

          openssl s_client -connect bharath-pc:443 -tls1

          • 17. Re: Can't add ESX 6.0 host to vCenter 6.0 Server
            COS Master

            I ran those commands on both the platform controller and the vcenter and I get outputs like below....

             

            WARNING: can't open config file: /usr/local/ssl/openssl.cnf

            Loading 'screen' into random state - done

            CONNECTED(00000124)

            depth=0 CN = vmlab-vsan-vctr.sky.net, C = US

            verify error:num=20:unable to get local issuer certificate

            verify return:1

            depth=0 CN = vmlab-vsan-vctr.sky.net, C = US

            verify error:num=27:certificate not trusted

            verify return:1

            depth=0 CN = vmlab-vsan-vctr.sky.net, C = US

            verify error:num=21:unable to verify the first certificate

            verify return:1

            ---

            Certificate chain

            0 s:/CN=vmlab-vsan-vctr.sky.net/C=US

               i:/CN=CA, dc=vsphere,dc=local/C=US/O=vmlab-vsan-plat

            ---

            Server certificate

            -----BEGIN CERTIFICATE-----

            MIIDeTCCAmGgAwIBAgIJAP3Ns9uiXC7uMA0GCSqGSIb3DQEBCwUAMEkxIDAeBgNV

            BAMMF0NBLCBkYz12c3BoZXJlLGRjPWxvY2FsMQswCQYDVQQGEwJVUzEYMBYGA1UE

            CgwPdm1sYWItdnNhbi1wbGF0MB4XDTE1MDUyMTIyMDg0NloXDTI1MDUxNTA1Mzc0

            N1owLzEgMB4GA1UEAwwXdm1sYWItdnNhbi12Y3RyLnNreS5uZXQxCzAJBgNVBAYT

            AlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvIgBSavvdEzeAiW6

            o9SHsY2CJ8lac7JBKKFUWDql7mElG4ggfU2G9/Ry7r7J4Peqn1llxU/ZhCh/79IB

            I7lAeYTXEjavaAE3MdzdXFwAz5KRC1rUmOfKru4NhhI7HAbqm+eLZHjG6hgCg2Ek

            46AqgH7uljYhkQapzTOX9e3z/hhP5n6UCOM9hqWaRsaQt4IcT6rSHHhUn7SH2LFs

            cS8yxqhjpKFtsk9kPHdeH3k9wkybmyA5rzCjnDZSYCkTigU86oUOnkg7lZbGqfF3

            BgB/L7USdINEo2ol0djkn9WgfKj/gFkLOxBN1gRrV/V57UbNbVeVWy1GcG4H3WS+

            c2FnDQIDAQABo34wfDA6BgNVHREEMzAxhwQKCQgahxAAAAAAAAAAAAAAAAAAAAAB

            ghd2bWxhYi12c2FuLXZjdHIuc2t5Lm5ldDAfBgNVHSMEGDAWgBQ2qY6BuwdVtIm9

            NoEraepfPI8jMTAdBgNVHQ4EFgQUvqYW/wiewRzc91UqzGzEpf4C7p8wDQYJKoZI

            hvcNAQELBQADggEBAF9Wdv5ApcvdGUH6mbO1xibztXogkd3QWFEy6yNqCg5On2+Z

            h2IYBboweLzGMHrj62l4sCAAXu5GTu6s29Ltw2dVnzTM19B8hA/JRYquaKTu3bgq

            gRQC7eAO8adLwC6ztCE2k63rnrXpoNKWfHqK+kRYiNpewiNfS0Vmo13u3ngN6JGS

            wU2NxaxGDxKA42xvKRV28llGmk5GPbHjYcsCqHabbLXp4f7aUm7kuj36VNFkBNxr

            +S7QNYUtE65U6/VptRbiGrI1Mll2CBYz/Khlvhe0fZotePDBunTw1wALaydImmpG

            yCyXUA5Gj0kyCoNP3HeXXaQx8jeyoCYtQ21QHXU=

            -----END CERTIFICATE-----

            subject=/CN=vmlab-vsan-vctr.sky.net/C=US

            issuer=/CN=CA, dc=vsphere,dc=local/C=US/O=vmlab-vsan-plat

            ---

            No client certificate CA names sent

            ---

            SSL handshake has read 1046 bytes and written 490 bytes

            ---

            New, TLSv1/SSLv3, Cipher is AES256-SHA

            Server public key is 2048 bit

            Secure Renegotiation IS supported

            Compression: NONE

            Expansion: NONE

            SSL-Session:

                Protocol  : SSLv3

                Cipher    : AES256-SHA

                Session-ID:

                Session-ID-ctx:

                Master-Key: 5954D9D5B6947A2F12F215CC157268FD8ACCA7976477BE9BDD5C1333DAF40980

            4A53CFA4FAAA0201B200D32B0CC53490

                Key-Arg   : None

                PSK identity: None

                PSK identity hint: None

                SRP username: None

                Start Time: 1432250668

                Timeout   : 7200 (sec)

                Verify return code: 21 (unable to verify the first certificate)

            ---

            read:errno=0

             

            C:\>

             

            NOTE: Servernames have changed since yesterday because I rebuilt the LAB from scratch.

            • 18. Re: Can't add ESX 6.0 host to vCenter 6.0 Server
              bharathl Enthusiast

              I compared the vcenter certificate with ours and it looks same. Can you paste the output when you connected to the ESXi host also.

              • 19. Re: Can't add ESX 6.0 host to vCenter 6.0 Server
                COS Master

                That's my problem. I can't connect an ESX(i) host. Everytime I try, I get this error...

                 

                "Cannot contact the specified host (hostname\IP). The host may not be available on the network, a network configuration problem may exist, or the management services on this host may not be responding."

                 

                Thanks

                • 20. Re: Can't add ESX 6.0 host to vCenter 6.0 Server
                  bharathl Enthusiast

                  I mean with openssl like openssl s_client -connect ESXihost:443

                  • 21. Re: Can't add ESX 6.0 host to vCenter 6.0 Server
                    COS Master

                    I get this...

                     

                    WARNING: can't open config file: /usr/local/ssl/openssl.cnf

                    Loading 'screen' into random state - done

                    CONNECTED(00000128)

                    depth=0 C = US, ST = California, L = Palo Alto, O = "VMware, Inc", OU = VMware E

                    SX Server Default Certificate, emailAddress = ssl-certificates@vmware.com, CN =

                    localhost.localdomain, unstructuredName = "1432232584,564d7761726520496e632e"

                    verify error:num=20:unable to get local issuer certificate

                    verify return:1

                    depth=0 C = US, ST = California, L = Palo Alto, O = "VMware, Inc", OU = VMware E

                    SX Server Default Certificate, emailAddress = ssl-certificates@vmware.com, CN =

                    localhost.localdomain, unstructuredName = "1432232584,564d7761726520496e632e"

                    verify error:num=27:certificate not trusted

                    verify return:1

                    depth=0 C = US, ST = California, L = Palo Alto, O = "VMware, Inc", OU = VMware E

                    SX Server Default Certificate, emailAddress = ssl-certificates@vmware.com, CN =

                    localhost.localdomain, unstructuredName = "1432232584,564d7761726520496e632e"

                    verify error:num=21:unable to verify the first certificate

                    verify return:1

                    ---

                    Certificate chain

                    0 s:/C=US/ST=California/L=Palo Alto/O=VMware, Inc/OU=VMware ESX Server Default

                    Certificate/emailAddress=ssl-certificates@vmware.com/CN=localhost.localdomain/un

                    structuredName=1432232584,564d7761726520496e632e

                       i:/O=VMware Installer

                    ---

                    Server certificate

                    -----BEGIN CERTIFICATE-----

                    MIID8TCCAtmgAwIBAgIGOuAuOHLBMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAoT

                    EFZNd2FyZSBJbnN0YWxsZXIwHhcNMTUwNTIxMTgyMzA1WhcNMjYxMTE5MTgyMzA1

                    WjCB+jELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT

                    CVBhbG8gQWx0bzEUMBIGA1UEChMLVk13YXJlLCBJbmMxLjAsBgNVBAsTJVZNd2Fy

                    ZSBFU1ggU2VydmVyIERlZmF1bHQgQ2VydGlmaWNhdGUxKjAoBgkqhkiG9w0BCQEW

                    G3NzbC1jZXJ0aWZpY2F0ZXNAdm13YXJlLmNvbTEeMBwGA1UEAxMVbG9jYWxob3N0

                    LmxvY2FsZG9tYWluMTAwLgYJKoZIhvcNAQkCEyExNDMyMjMyNTg0LDU2NGQ3NzYx

                    NzI2NTIwNDk2ZTYzMmUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCj

                    WJ1gCtaT4GMuybGa4w1Y43FGzFFzArIeNcjKI09bdHMYFpQzndgy+yThDGjaNwAR

                    KIl8ljUXW83ObUwrvat1tQuDsQ+7z+yhNfVOIchhkyjrfwwrxzKIlxS3huZqZHEr

                    xUI5pr1HT0pfOC/ZZZDOBf69twZ3CIbTNNpnNnJt2KNmrWl115i1/fnq3klqtcAO

                    ZorGyeFLMV6LMKDDFhGc2eEVzVAmp8Kr6Ruxm90SrFraiiC4sHjZVn3caVB0kDes

                    n0NTgmqPpyxP74OVmgyU5hanKQymbrahaYWMzE6oOnu1ebSp8km7uRb/AA/fwMuN

                    DHV3ecJMqdwcA/9o6c8tAgMBAAGjWzBZMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSw

                    MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAgBgNVHREEGTAXghVsb2Nh

                    bGhvc3QubG9jYWxkb21haW4wDQYJKoZIhvcNAQELBQADggEBAJDGm1xhGEnGZhU5

                    YdnZWKkuyFI+XZdKqWGUOrzTa4n0hgu+MP8IX8Uf0fCPDmTQjHvI839gBEAfHtQZ

                    hCX/cYwgu/Q6tHiKEiASUxPVYYJYfvsAbsAhL0WgIqQVkgjn33SMFI66T+60BQqm

                    H8vmvLIhMXnXTCXKkfEZ/Abd4+Is/WrDTzOav/FxtKc+ULuXxO0QaRmOmKrwxWyR

                    mkxorKYwgX6Nh9gnAou/X+Rh3pWA++ZG14CRoh/AleYc2MTqLRl4Ky+vq9z2UHaq

                    ihTv2E5nKuLGizMdoXnbcD95L/lfz5m9eHxjOO3jkmGzgo2+f7qe8jJI5cqky1sk

                    O+b+GWo=

                    -----END CERTIFICATE-----

                    subject=/C=US/ST=California/L=Palo Alto/O=VMware, Inc/OU=VMware ESX Server Defau

                    lt Certificate/emailAddress=ssl-certificates@vmware.com/CN=localhost.localdomain

                    /unstructuredName=1432232584,564d7761726520496e632e

                    issuer=/O=VMware Installer

                    ---

                    No client certificate CA names sent

                    ---

                    SSL handshake has read 1147 bytes and written 635 bytes

                    ---

                    New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384

                    Server public key is 2048 bit

                    Secure Renegotiation IS supported

                    Compression: NONE

                    Expansion: NONE

                    SSL-Session:

                        Protocol  : TLSv1.2

                        Cipher    : AES256-GCM-SHA384

                        Session-ID:

                        Session-ID-ctx:

                        Master-Key: 1F5C1E925C821DD02DEC4D70986552A4B807B9365C2BD0380681A1F64F2D5C95

                    14600B53F02C9F35EE1925D8EAE6886A

                        Key-Arg   : None

                        PSK identity: None

                        PSK identity hint: None

                        SRP username: None

                        Start Time: 1432252144

                        Timeout   : 300 (sec)

                        Verify return code: 21 (unable to verify the first certificate)

                    ---

                    read:errno=0

                     

                    C:\>

                    • 22. Re: Can't add ESX 6.0 host to vCenter 6.0 Server
                      bharathl Enthusiast

                      The output looks similar on my ESXi servers. The other options I can think of is to install any network monitor tools on the vcenter and monitor the traffic while you are adding the hosts.

                      • 23. Re: Can't add ESX 6.0 host to vCenter 6.0 Server
                        bharathl Enthusiast

                        Did you try analyzing the network traffic between the vcenter and the hosts and see if it finds any issue.

                        • 24. Re: Can't add ESX 6.0 host to vCenter 6.0 Server
                          COS Master

                          I'll wireshark it today when I get time. Not quite sure what it will reveal because there are no firewalls, they are all on the same switch and network, you can telnet to all the esx hosts, ping from each direction (from esx to vcenter and platform services and vice versa).

                           

                          I'll post results when I get to testing it.

                           

                          Thanks

                          • 25. Re: Can't add ESX 6.0 host to vCenter 6.0 Server
                            COS Master

                            OK, after working with VMware on this issue, I think I figured it out.

                             

                            All my hosts are DL360 G6 Servers.

                            All my hosts are run the same build ESX from "VMware-ESXi-6.0.0-2494585-HP-600.9.2.38-Mar2015.iso". Downloaded from HP.

                            All builds are in Evaluation mode.

                             

                            After placing a call to VMware, they had me build some ESX VM's, platform services and vcenter VM's on an ESX host. We hung up because it took all day to spin up.

                            Once I got all the pieces (sql server, esx vm's, platform server & vcenter) up in the nested virtualization, I created my Datacenter, then Cluster then added the ESX hosts.

                            The hosts added fine, no errors. Then I remembered when I installed ESX inside a VM, I got upset that the iso I used from HP wouldn't work in my nested VM because of the virtualized hardware.

                            Then a the light came on in my head. Let's rebuild the entire physical cluster but NOT use the HP provided iso file but use the VMware provided iso file "VMware-VMvisor-Installer-6.0.0-2159203.x86_64.iso".

                             

                            I did that today. I rebuilt all the ESX hosts with the VMware provided iso file.....

                            Spun up all the required VM's SQL Server, Platform Services VM, vCenter VM. My AD & DNS VM's are on another server so it's been up the whole time.

                            Logged into the web interface (Yuck!).

                            Created my Datacenter....

                            Created My Cluster....

                            Added all the hosts to my Cluster.

                            It all worked!!!!

                             

                            So, if you are experiencing the same issue I am, consider building your ESX hosts with the VMware provided iso file and try it. In my case, the HP provided iso file did not function properly for me.

                             

                            I also downloaded the HP iso file 2 other times to make sure and do a sanity check and it did the same thing.

                            • 26. Re: Can't add ESX 6.0 host to vCenter 6.0 Server
                              PLU1 Lurker

                              I had the same issue with a vCenter 5.5 and 5.5 Hosts.

                               

                              The problem was that SSLv3 was not active on the ESXi hosts.

                               

                              To enable SSLv3 you have to edit:

                               

                              /etc/vmware/rhttpproxy/config.xml with vi and add the following line

                               

                              <sslOptions>16924672</sslOptions>

                               

                              here:

                              <vmacore>
                              <ssl>
                              ............
                              </ssl>
                              </vmacore>

                               

                              Restart the services with /etc/init.d/rhttpproxy restart.
                              In my case the hosts added without a problem after these changes.
                              • 27. Re: Can't add ESX 6.0 host to vCenter 6.0 Server
                                vmwaresucksatrestarting Novice

                                Happened to me when i had to rebuild a host. When i went to re-add the SSL cert was giving a message about not being trusted. I simply added the host anyway and was prompted to re trust the certificate during that process. It still remembers the list of old vms that i had on the host (orphaned)

                                1 2 Previous Next