Solved: Unable to push CA certificates and CRLs to host

mimo974 · ‎02-17-2020

Hello everyone,

Actually, my VCSA is on 6.7 and our 3 ESXi on 6.7 update 3. I add a new licence and i want to add a fourth ESXi (same model and version like 3 others ESXi) on my cluster but i have this error message :

Unable to push CA certificates and CRLs to host esx04

Someone know what is the problem and how i can solve it ?

Thanks for your help.

RoderikdeBlock · ‎02-17-2020

I found this in the release notes of 6.7 update 3:

Server Configuration Issues

You might be unable to add a self-signed certificate to the ESXi trust store and fail to add an ESXi host to the vCenter Server systemThe ESXi trust store contains a list of Certificate Authority (CA) certificates that are used to build the chain of trust when an ESXi host is the client in a TLS channel communication. The certificates in the trust store must be with a CA bit set: X509v3 Basic Constraints: CA: TRUE. If a certificate without this bit set is passed to the trust store, for example, a self-signed certificate, the certificate is rejected. As a result, you might fail to add an ESXi host to the vCenter Server system.This issue is resolved in this release. The fix adds the advanced option Config.HostAgent.ssl.keyStore.allowSelfSigned. If you already face the issue, set this option to TRUE to add a self-signed server certificate to the ESXi trust store.

https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3-release-notes.html

Or take a look at this thread:

https://communities.vmware.com/thread/619169

Roderik de Block

Blog: https://roderikdeblock.com

View solution in original post

RoderikdeBlock · ‎02-17-2020