Highlighted
Expert
Expert

Can't add ESX 6.0 host to vCenter 6.0 Server

Jump to solution

OK, I am testing in the lab a vsan cluster for 6.0.

I have my esx hosts running 6.0.0 and vcenter server is 6.0.0 also.

I have platform services on one vm and vcenter on another. I was able to create a datacenter and then a cluster underneath.

Next I went to try and add a host to my cluster and I get this error....

Cannot contact the specified host (hostname\IP). The host may not be available on the network, a network configuration problem may exist, or the management services on this host may not be responding.


Per this KB: VMware KB: Adding a VMware ESXi/ESX host to VMware vCenter Server fails


I confirmed that my vcenter server and platform services server can see all the esx hosts. From within the vcenter server, it can ping the esx hosts and putty can get to all of them. I even installed the thick client and it can connect to all the esx hosts. I used netbios name, FQDN and IP and they all worked.

I only have one subnet so that's not an issue. DNS resolution works across the board from both directions, from vcenter to esx hosts and esx hosts to vcenter.


I'm quite stumped. :smileyconfused:



27 Replies
Highlighted
Enthusiast
Enthusiast

I mean with openssl like openssl s_client -connect ESXihost:443

0 Kudos
Highlighted
Expert
Expert

I get this...

WARNING: can't open config file: /usr/local/ssl/openssl.cnf

Loading 'screen' into random state - done

CONNECTED(00000128)

depth=0 C = US, ST = California, L = Palo Alto, O = "VMware, Inc", OU = VMware E

SX Server Default Certificate, emailAddress = ssl-certificates@vmware.com, CN =

localhost.localdomain, unstructuredName = "1432232584,564d7761726520496e632e"

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 C = US, ST = California, L = Palo Alto, O = "VMware, Inc", OU = VMware E

SX Server Default Certificate, emailAddress = ssl-certificates@vmware.com, CN =

localhost.localdomain, unstructuredName = "1432232584,564d7761726520496e632e"

verify error:num=27:certificate not trusted

verify return:1

depth=0 C = US, ST = California, L = Palo Alto, O = "VMware, Inc", OU = VMware E

SX Server Default Certificate, emailAddress = ssl-certificates@vmware.com, CN =

localhost.localdomain, unstructuredName = "1432232584,564d7761726520496e632e"

verify error:num=21:unable to verify the first certificate

verify return:1

---

Certificate chain

0 s:/C=US/ST=California/L=Palo Alto/O=VMware, Inc/OU=VMware ESX Server Default

Certificate/emailAddress=ssl-certificates@vmware.com/CN=localhost.localdomain/un

structuredName=1432232584,564d7761726520496e632e

   i:/O=VMware Installer

---

Server certificate

-----BEGIN CERTIFICATE-----

MIID8TCCAtmgAwIBAgIGOuAuOHLBMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAoT

EFZNd2FyZSBJbnN0YWxsZXIwHhcNMTUwNTIxMTgyMzA1WhcNMjYxMTE5MTgyMzA1

WjCB+jELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT

CVBhbG8gQWx0bzEUMBIGA1UEChMLVk13YXJlLCBJbmMxLjAsBgNVBAsTJVZNd2Fy

ZSBFU1ggU2VydmVyIERlZmF1bHQgQ2VydGlmaWNhdGUxKjAoBgkqhkiG9w0BCQEW

G3NzbC1jZXJ0aWZpY2F0ZXNAdm13YXJlLmNvbTEeMBwGA1UEAxMVbG9jYWxob3N0

LmxvY2FsZG9tYWluMTAwLgYJKoZIhvcNAQkCEyExNDMyMjMyNTg0LDU2NGQ3NzYx

NzI2NTIwNDk2ZTYzMmUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCj

WJ1gCtaT4GMuybGa4w1Y43FGzFFzArIeNcjKI09bdHMYFpQzndgy+yThDGjaNwAR

KIl8ljUXW83ObUwrvat1tQuDsQ+7z+yhNfVOIchhkyjrfwwrxzKIlxS3huZqZHEr

xUI5pr1HT0pfOC/ZZZDOBf69twZ3CIbTNNpnNnJt2KNmrWl115i1/fnq3klqtcAO

ZorGyeFLMV6LMKDDFhGc2eEVzVAmp8Kr6Ruxm90SrFraiiC4sHjZVn3caVB0kDes

n0NTgmqPpyxP74OVmgyU5hanKQymbrahaYWMzE6oOnu1ebSp8km7uRb/AA/fwMuN

DHV3ecJMqdwcA/9o6c8tAgMBAAGjWzBZMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSw

MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAgBgNVHREEGTAXghVsb2Nh

bGhvc3QubG9jYWxkb21haW4wDQYJKoZIhvcNAQELBQADggEBAJDGm1xhGEnGZhU5

YdnZWKkuyFI+XZdKqWGUOrzTa4n0hgu+MP8IX8Uf0fCPDmTQjHvI839gBEAfHtQZ

hCX/cYwgu/Q6tHiKEiASUxPVYYJYfvsAbsAhL0WgIqQVkgjn33SMFI66T+60BQqm

H8vmvLIhMXnXTCXKkfEZ/Abd4+Is/WrDTzOav/FxtKc+ULuXxO0QaRmOmKrwxWyR

mkxorKYwgX6Nh9gnAou/X+Rh3pWA++ZG14CRoh/AleYc2MTqLRl4Ky+vq9z2UHaq

ihTv2E5nKuLGizMdoXnbcD95L/lfz5m9eHxjOO3jkmGzgo2+f7qe8jJI5cqky1sk

O+b+GWo=

-----END CERTIFICATE-----

subject=/C=US/ST=California/L=Palo Alto/O=VMware, Inc/OU=VMware ESX Server Defau

lt Certificate/emailAddress=ssl-certificates@vmware.com/CN=localhost.localdomain

/unstructuredName=1432232584,564d7761726520496e632e

issuer=/O=VMware Installer

---

No client certificate CA names sent

---

SSL handshake has read 1147 bytes and written 635 bytes

---

New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : AES256-GCM-SHA384

    Session-ID:

    Session-ID-ctx:

    Master-Key: 1F5C1E925C821DD02DEC4D70986552A4B807B9365C2BD0380681A1F64F2D5C95

14600B53F02C9F35EE1925D8EAE6886A

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1432252144

    Timeout   : 300 (sec)

    Verify return code: 21 (unable to verify the first certificate)

---

read:errno=0

C:\>

0 Kudos
Highlighted
Enthusiast
Enthusiast

The output looks similar on my ESXi servers. The other options I can think of is to install any network monitor tools on the vcenter and monitor the traffic while you are adding the hosts.

0 Kudos
Highlighted
Enthusiast
Enthusiast

Did you try analyzing the network traffic between the vcenter and the hosts and see if it finds any issue.

0 Kudos
Highlighted
Expert
Expert

I'll wireshark it today when I get time. Not quite sure what it will reveal because there are no firewalls, they are all on the same switch and network, you can telnet to all the esx hosts, ping from each direction (from esx to vcenter and platform services and vice versa).

I'll post results when I get to testing it.

Thanks

0 Kudos
Highlighted
Expert
Expert

OK, after working with VMware on this issue, I think I figured it out.

All my hosts are DL360 G6 Servers.

All my hosts are run the same build ESX from "VMware-ESXi-6.0.0-2494585-HP-600.9.2.38-Mar2015.iso". Downloaded from HP.

All builds are in Evaluation mode.

After placing a call to VMware, they had me build some ESX VM's, platform services and vcenter VM's on an ESX host. We hung up because it took all day to spin up.

Once I got all the pieces (sql server, esx vm's, platform server & vcenter) up in the nested virtualization, I created my Datacenter, then Cluster then added the ESX hosts.

The hosts added fine, no errors. Then I remembered when I installed ESX inside a VM, I got upset that the iso I used from HP wouldn't work in my nested VM because of the virtualized hardware.

Then a the light came on in my head. Let's rebuild the entire physical cluster but NOT use the HP provided iso file but use the VMware provided iso file "VMware-VMvisor-Installer-6.0.0-2159203.x86_64.iso".

I did that today. I rebuilt all the ESX hosts with the VMware provided iso file.....

Spun up all the required VM's SQL Server, Platform Services VM, vCenter VM. My AD & DNS VM's are on another server so it's been up the whole time.

Logged into the web interface (Yuck!).

Created my Datacenter....

Created My Cluster....

Added all the hosts to my Cluster.

It all worked!!!!

So, if you are experiencing the same issue I am, consider building your ESX hosts with the VMware provided iso file and try it. In my case, the HP provided iso file did not function properly for me.

I also downloaded the HP iso file 2 other times to make sure and do a sanity check and it did the same thing.

_______________________________________________________________________________________________________

"Did you find this helpful? Let us know by completing this survey (takes 1 minute!)"

View solution in original post

Highlighted
Contributor
Contributor

I had the same issue with a vCenter 5.5 and 5.5 Hosts.

The problem was that SSLv3 was not active on the ESXi hosts.

To enable SSLv3 you have to edit:

/etc/vmware/rhttpproxy/config.xml with vi and add the following line

<sslOptions>16924672</sslOptions>

here:

<vmacore>
<ssl>
............
</ssl>
</vmacore>

Restart the services with /etc/init.d/rhttpproxy restart.
In my case the hosts added without a problem after these changes.
0 Kudos
Highlighted
Contributor
Contributor

Happened to me when i had to rebuild a host. When i went to re-add the SSL cert was giving a message about not being trusted. I simply added the host anyway and was prompted to re trust the certificate during that process. It still remembers the list of old vms that i had on the host (orphaned)

0 Kudos