ESXi hosts report the upgrade status as fail after replacing the NSX Manager certificate
search cancel

ESXi hosts report the upgrade status as fail after replacing the NSX Manager certificate

book

Article ID: 301120

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

Symptoms:
When you apply the self signed certificate to NSX Manager, you experience these symptoms:
  • The upgrade button is greyed out under LCM > Update.
  • Under LCM > Inventory, in the vcenter-mgmt you see a red bang mark on the host indicating a on-going upgrade.

    For example, "rack-1-n0" (6.0.0-5XXXXXX - 6.0.0-5YYYYYY).

  • You see the updated ESXi host version (example, 6.0.0-5YYYYYY) from vCenter Server. Indicating a successful upgrade of the ESXi host.
  • Rebooting the host by entering into Maintenance Mode and restarting the VRM tc-server service does not help.


Environment

VMware Cloud Foundation 2.0.x
VMware Cloud Foundation 2.1.x

Cause

This issue occurs because VRM is unaware of the user added certificate and is unable to authenticate NSX Manager.

VRM attempts the host prep before upgrading to ensure that host is in upgrade state. If NSX fails to authenticate, you cannot upgrade the host from VRM.

Resolution

To resolve this issue, add/import the self signed NSX Manager certificate into VRM manually to allow the authentication of NSX Manager:
  1. Run this command to add/import the certificate:

    keytool -import -alias nsxmanagercert -keystore /usr/java/jre-vmware/lib/security/cacerts -trustcacerts -file /tmp/nsx.crt

    Note: The certificate must be in PEM format.

  2. Run this command for the password of the keystore:

    rack-1-vrm-1:/home/vrack # grep -i password /home/vrack/vrm/bin/setenv.sh

    You see output similar to:

    JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/usr/java/jre-vmware/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=oB9xJ5sU8w -Djsse.enableSNIExtension=false"