VMware Cloud Community
Andreasbuchwald
Contributor
Contributor
Jump to solution

Refreshing CA Certificates fails with A general system error occurred: Unable to push CA certificates and CRLs to hostxxxx after upgrade to last Build 6.7 U3 15018017

Hey,

just see after update all hosts to the last Build 15018017, that i have problem to add new hosts to venter 6.7U3 last Build and i'am not able to push certs from vCenter to hosts anymore.

To add host i have to change under vcsa "vpxd.certmgmt.mode" from vmca to thumbprint, thats the only way, but even then i'am not able to push certs or exports systemlogs over gui from vcenter with host in 6.7 u3 last Build.

Is here someone having the same problems, or better have any workarounds??

Regards

Andy

Reply
0 Kudos
1 Solution

Accepted Solutions
msripada
Virtuoso
Virtuoso
Jump to solution

Hello

This is a known issue and is mentioned in release notes with workaround

VMware vCenter Server 6.7 Update 3 Release Notes

You might be unable to add a self-signed certificate to the ESXi trust store and fail to add an ESXi host to the vCenter Server system

The ESXi trust store contains a list of Certificate Authority (CA) certificates that are used to build the chain of trust when an ESXi host is the client in a TLS channel communication. The certificates in the trust store must be with a CA bit set: X509v3 Basic Constraints: CA: TRUE. If a certificate without this bit set is passed to the trust store, for example, a self-signed certificate, the certificate is rejected. As a result, you might fail to add an ESXi host to the vCenter Server system.

This issue is resolved in this release. The fix adds the advanced option Config.HostAgent.ssl.keyStore.allowSelfSigned. If you already face the issue, set this option to TRUE to add a self-signed server certificate to the ESXi trust store.

Thanks,

MS

View solution in original post

Reply
0 Kudos
3 Replies
AhmedIbrahimVMw
Enthusiast
Enthusiast
Jump to solution

VMware GSS can assist you analyze the logs to understand why this happens and how to fix it.

If you want a workaround, first change the certmgmt.mode to vmca again, remove the hosts, generate a new self-signed certificate on the hosts using KB1020502, for your convenience, I'm listing the steps here:

From an ESXi shell run these commands:

cp /etc/vmware/ssl/rui.* /var/tmp

rm /etc/vmware/ssl/rui.*

/sbin/generate-certificates

Next try to connect the host, and see if it can retrieve a new certificate from VMCA or not. If it fails, then take a snapshot of vCenter Server, open vCenter Server shell (or cmd if it is a Windows deployment), and run the "certificate-manager" tool to reset all certificates (Option 8), as per the following KB:

https://kb.vmware.com/s/article/2112283

Reply
0 Kudos
Andreasbuchwald
Contributor
Contributor
Jump to solution

Hello,

we are BCS Customer, a SR is open already, just what to know if somebody else has a "Feature" like this.

Reagrds

Andreas

Reply
0 Kudos
msripada
Virtuoso
Virtuoso
Jump to solution

Hello

This is a known issue and is mentioned in release notes with workaround

VMware vCenter Server 6.7 Update 3 Release Notes

You might be unable to add a self-signed certificate to the ESXi trust store and fail to add an ESXi host to the vCenter Server system

The ESXi trust store contains a list of Certificate Authority (CA) certificates that are used to build the chain of trust when an ESXi host is the client in a TLS channel communication. The certificates in the trust store must be with a CA bit set: X509v3 Basic Constraints: CA: TRUE. If a certificate without this bit set is passed to the trust store, for example, a self-signed certificate, the certificate is rejected. As a result, you might fail to add an ESXi host to the vCenter Server system.

This issue is resolved in this release. The fix adds the advanced option Config.HostAgent.ssl.keyStore.allowSelfSigned. If you already face the issue, set this option to TRUE to add a self-signed server certificate to the ESXi trust store.

Thanks,

MS

Reply
0 Kudos