Hey,
just see after update all hosts to the last Build 15018017, that i have problem to add new hosts to venter 6.7U3 last Build and i'am not able to push certs from vCenter to hosts anymore.
To add host i have to change under vcsa "vpxd.certmgmt.mode" from vmca to thumbprint, thats the only way, but even then i'am not able to push certs or exports systemlogs over gui from vcenter with host in 6.7 u3 last Build.
Is here someone having the same problems, or better have any workarounds??
Regards
Andy
Hello
This is a known issue and is mentioned in release notes with workaround
VMware vCenter Server 6.7 Update 3 Release Notes
You might be unable to add a self-signed certificate to the ESXi trust store and fail to add an ESXi host to the vCenter Server system
The ESXi trust store contains a list of Certificate Authority (CA) certificates that are used to build the chain of trust when an ESXi host is the client in a TLS channel communication. The certificates in the trust store must be with a CA bit set: X509v3 Basic Constraints: CA: TRUE
. If a certificate without this bit set is passed to the trust store, for example, a self-signed certificate, the certificate is rejected. As a result, you might fail to add an ESXi host to the vCenter Server system.
This issue is resolved in this release. The fix adds the advanced option Config.HostAgent.ssl.keyStore.allowSelfSigned
. If you already face the issue, set this option to TRUE
to add a self-signed server certificate to the ESXi trust store.
Thanks,
MS
VMware GSS can assist you analyze the logs to understand why this happens and how to fix it.
If you want a workaround, first change the certmgmt.mode to vmca again, remove the hosts, generate a new self-signed certificate on the hosts using KB1020502, for your convenience, I'm listing the steps here:
From an ESXi shell run these commands:
cp /etc/vmware/ssl/rui.* /var/tmp
rm /etc/vmware/ssl/rui.*
/sbin/generate-certificates
Next try to connect the host, and see if it can retrieve a new certificate from VMCA or not. If it fails, then take a snapshot of vCenter Server, open vCenter Server shell (or cmd if it is a Windows deployment), and run the "certificate-manager" tool to reset all certificates (Option 8), as per the following KB:
Hello,
we are BCS Customer, a SR is open already, just what to know if somebody else has a "Feature" like this.
Reagrds
Andreas
Hello
This is a known issue and is mentioned in release notes with workaround
VMware vCenter Server 6.7 Update 3 Release Notes
You might be unable to add a self-signed certificate to the ESXi trust store and fail to add an ESXi host to the vCenter Server system
The ESXi trust store contains a list of Certificate Authority (CA) certificates that are used to build the chain of trust when an ESXi host is the client in a TLS channel communication. The certificates in the trust store must be with a CA bit set: X509v3 Basic Constraints: CA: TRUE
. If a certificate without this bit set is passed to the trust store, for example, a self-signed certificate, the certificate is rejected. As a result, you might fail to add an ESXi host to the vCenter Server system.
This issue is resolved in this release. The fix adds the advanced option Config.HostAgent.ssl.keyStore.allowSelfSigned
. If you already face the issue, set this option to TRUE
to add a self-signed server certificate to the ESXi trust store.
Thanks,
MS