1 Reply Latest reply on Feb 17, 2020 11:01 PM by RoderikdeBlock

    Unable to push CA certificates and CRLs to host

    mimo974 Novice

      Hello everyone,

       

      Actually, my VCSA is on 6.7 and our 3 ESXi on 6.7 update 3. I add a new licence and i want to add a fourth ESXi (same model and version like 3 others ESXi) on my cluster but i have this error message :

       

      Unable to push CA certificates and CRLs to host esx04

       

      Someone know what is the problem and how i can solve it ?

       

      Thanks for your help.

        • 1. Re: Unable to push CA certificates and CRLs to host
          RoderikdeBlock Hot Shot

          I found this in the release notes of 6.7 update 3:

           

          Server Configuration Issues

          • You might be unable to add a self-signed certificate to the ESXi trust store and fail to add an ESXi host to the vCenter Server systemThe ESXi trust store contains a list of Certificate Authority (CA) certificates that are used to build the chain of trust when an ESXi host is the client in a TLS channel communication. The certificates in the trust store must be with a CA bit set: X509v3 Basic Constraints: CA: TRUE. If a certificate without this bit set is passed to the trust store, for example, a self-signed certificate, the certificate is rejected. As a result, you might fail to add an ESXi host to the vCenter Server system.This issue is resolved in this release. The fix adds the advanced option Config.HostAgent.ssl.keyStore.allowSelfSigned. If you already face the issue, set this option to TRUE to add a self-signed server certificate to the ESXi trust store.

          https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3-release-notes.html

           

          Or take a look at this thread:

           

          https://communities.vmware.com/thread/619169