VMware Cloud Community
n_c_vmware
Contributor
Contributor
‎01-08-2016 09:12 AM

A general system error occurred: Unable to get root certificates from VECS

Hi guys,

I am sick and tired of the load of issues VMware gives us around SSL. I think I know by now a lot more than many VMware support guys when it comes to tools integration SSL issues etc. Anyways all that being said today I found out another issue around SSL which I dont have an answer. Hope some of you might be able to help faster than support, based on my experience with them when it comes to SSL and other issue.

So when trying to add a brand new ESXi 6 host with self signed certs to vCenter 6 with the web client or the thick client this comes up "A general system error occurred: Unable to get root certificates from VECS" . VECS is SSL so I am guessing something messed up there.

Now I tricked it a bit, got the SSL done manually installed added to vCenter no problem, but issue still there. So if you right click on the host and click renew certs same error comes up.

How can we fix this ? I am just tired of vSphere 6 and SSL issue ....

George

Tags (1)
0 Kudos
7 Replies
n_c_vmware
Contributor
Contributor
‎01-26-2016 06:09 AM

Still having the issue, anyone has any input for me ?

0 Kudos
tomcjq
Contributor
Contributor
‎01-28-2016 10:34 AM

Same issue here, haven't found a fix yet.

0 Kudos
n_c_vmware
Contributor
Contributor
‎01-28-2016 10:36 AM

We are still working with VMware, the weird thing is we also have a lab and it all works fine as it supposed to, must be something simple that the process is missing the root VMCA certs

0 Kudos
tomcjq
Contributor
Contributor
‎01-28-2016 11:01 AM

Interesting, I finally managed to work around it...

First, some background...   This is what vpxd log looks like form e

2016-01-28T13:59:53.695-05:00 error vpxd[05400] [Originator@6876 sub=Main opID=cadf1119-5c98-45bd-89db-d4b6149faa04-738-ngc-28] [Vpxd::VecsUtil::GetCertsFromStore] Unable to enumerate trusted roots from VECS localhost. error: 87

2016-01-28T13:59:53.695-05:00 error vpxd[05400] [Originator@6876 sub=certManagerMo opID=cadf1119-5c98-45bd-89db-d4b6149faa04-738-ngc-28] CertManagerMo::SignCertificate Unable to get a root certificates from VECS xerxes.ad.heurekasoftware.com.

2016-01-28T13:59:53.700-05:00 error vpxd[05400] [Originator@6876 sub=hostInvtOps opID=cadf1119-5c98-45bd-89db-d4b6149faa04-738-ngc-28] [HostInvtOps::AddHostToContainer] Failed to add host as connected, cleaning up

2016-01-28T13:59:53.701-05:00 error vpxd[05400] [Originator@6876 sub=hostInvtOps opID=cadf1119-5c98-45bd-89db-d4b6149faa04-738-ngc-28] [HostInvtOps::AddStandaloneHost] Caught an exception while attempting to add standalone host: vmodl.fault.SystemError

2016-01-28T13:59:53.706-05:00 error vpxd[05496] [Originator@6876 sub=HttpConnectionPool-000001] [ConnectComplete] Connect failed to <cs p:000000000925a120, TCP:172.17.10.14:443>; cnx: (null), error: class Vmacore::Ssl::SSLVerifyException(SSL Exception: Verification parameters:

--> PeerThumbprint: 80:CE:73:2F:6D:EB:DD:F5:9C:03:FF:0E:21:8F:C8:E6:02:57:92:11

--> ExpectedThumbprint:

--> ExpectedPeerName: 172.17.10.14

--> The remote host certificate has these problems:

-->

--> * A certificate in the host's chain is based on an untrusted root.

-->

--> * Host name does not match the subject name(s) in certificate.)

2016-01-28T13:59:53.706-05:00 error vpxd[05400] [Originator@6876 sub=InvtHost opID=cadf1119-5c98-45bd-89db-d4b6149faa04-738-ngc-28] [VpxdInvtHost::HandlePreRemovalCleanup] Failed to reconnect to cleanup before host removal : class Vim::Fault::SSLVerifyFault::Exception(vim.fault.SSLVerifyFault)

2016-01-28T13:59:53.706-05:00 error vpxd[05400] [Originator@6876 sub=Iofilter opID=cadf1119-5c98-45bd-89db-d4b6149faa04-738-ngc-28] iofilter: IoFilterVasa::HandleHostRemove: host [vim.HostSystem:host-635,172.17.10.14] has NULL config

However, using the vecs-cli command I was able to enumerate certificates just fine.  After some playing around, I looked at my vCenter node in the web client -> manage -> active certificates, where I noticed that there was in fact a certificate created each time I tried to join a host to the cluster... interesting.  So, I SSH'd to the ESXi host in question.  vCenter apparently installed the new certificate just fine, but stopped short of restarting the management daemons on that host.  I restarted the management daemons (vpxa & hostd) from the command line on the host and re-added the host in the web UI.  Everything worked at that point.

0 Kudos
n_c_vmware
Contributor
Contributor
‎05-10-2016 11:46 AM

Funny now it`s May and we have an escalated ticket with VMware from January not able to identify the cause... Unreal.

0 Kudos
crooky1106
Contributor
Contributor
‎12-21-2016 03:56 AM

Apologies in advance for resurrecting an old thread...

I had this issue but was able to work around it by removing the host from the cluster and then renewing the cert via the web client.

0 Kudos
EagleB5
VMware Employee
VMware Employee
‎01-18-2018 12:55 AM

Same issue here, but I just found a promising KB from VMware --> VMware Knowledge Base

If we check our trusted root store on the PSC witch command "D:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli entry list --store TRUSTED_ROOTS > root-cert.txt", it shows >100 certificates. Mentioned in the KB all counts over 22 causing problems so we have to clean that store and try adding ESXi hosts again.

0 Kudos