Adding ESXi host to vCenter fails with error "Unable to get signed certificate for host name 'xx' ip 'xx': Error: Operation failed with error = ERROR_ACCESS_DENIED (5)".
search cancel

Adding ESXi host to vCenter fails with error "Unable to get signed certificate for host name 'xx' ip 'xx': Error: Operation failed with error = ERROR_ACCESS_DENIED (5)".

book

Article ID: 303166

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

  • Unable to add ESXi to Virtual Center.
"Unable to get signed certificate for host name '##' ip '##': Error: Operation failed with error = ERROR_ACCESS_DENIED (5)".
  • vpxd.certmgmt.mode is vmca . If we change to thumprint we would be able to add ESXi.
  • Tried adding ESXi to VC with vpxd.certmgmt.mode on thumbprint and then changed the vpxd.certmgmt.mode to vmca and Renew Certificate for ESXi . Still same issue and it does not get certificate issues by vmca.
  • vpxd.log
20##-##-##T##:14:57.469Z info vpxd[7F##########] [Originator@#### sub=InvtHostCnx opID=AddHostWizard-add-68####-ngc-15] [VpxdInvtHostCnx] SSLVerifyException: Untrusted certificate found on host <esxihostname> Pushing new certificate...
20##-##-##T##:14:57.504Z info vpxd[7F##########] [Originator@#### sub=vpxLro opID=dam-auto-generated: GenerationNumbersMonitor:dr-##:##-##] [VpxLRO] -- BEGIN lro-1375#### -- ResourceModel -- cis.data.provider.ResourceModel.query -- 52b
 
20##-##-##T##:14:58.218Z info vpxd[7F##########] [Originator@#### sub=Vsan opID=AddHostWizard-add-68####-ngc-15] Destroying VSAN dynamic MOs for host-ID.
20##-##-##T##:14:58.220Z info vpxd[7F##########] [Originator@#### sub=licenseClient opID=AddHostWizard-add-682626-ngc-15-LicenseClientUnregisterHostAsync-41312d8c] Unregister host: 'host-ID'
20##-##-##T##:14:58.251Z info vpxd[7F##########] [Originator@#### sub=vpxLro opID=AddHostWizard-add-68####-ngc-15] [VpxLRO] -- FINISH task-29####
20##-##-##T##:14:58.251Z info vpxd[7F##########] [Originator@#### sub=Default opID=AddHostWizard-add-68####-ngc-15] [VpxLRO] -- ERROR task-29#### -- group-h4
-- vim.Folder.addStandaloneHost: vmodl.fault.SystemError:
--> Result:
--> (vmodl.fault.SystemError) {
--> faultCause = (vmodl.MethodFault) null,
--> faultMessage = <unset>,
--> reason = "Unable to get signed certificate forhost name 'esxihostname' ip '###': Error: Operation failed with error = ERROR_ACCESS_DENIED (5) (5)"
--> msg = ""
  •  vmcad-syslog.log (in 7.0 this is in vmcad.log)

20##-##-##T##:##:##.161380+00:00 info vmcad t@14063: Checking upn: cn=CAAdmins,cn=Builtin,dc=vsphere,dc=local against CA admin group:groupname@vsphe20##.##c##

20##-##-##T##:##:##.161832+00:00 info vmcad t@140635667420928: Checking user's group: cn=DCClients,cn=Builtin,dc=vsphere,dc=local against CA admin group: cn=CAAdmins,cn=Builtin,dc=vsphere,dc=local
20##-##-##T##:##:##.162232+00:00 warning vmcad t@140635667420928: error code: 0x00000005
20##-##-##T##:##:##.162680+00:00 warning vmcad t@140635667420928: error code: 0x00000005
20##-##-##T##:##:##.163033+00:00 warning vmcad t@140635667420928: error code: 0x00000005

  • We noticed no users were listed under SSO groups for CAAdmins .
 
 



Environment

VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server 6.7.x
VMware vCenter Server 6.x
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server 6.5.x
VMware vCenter Server 7.0x
VMware vCenter Server 8.0x

Cause

The user this was attempted with was not a member of CAAdmins.

Resolution

First option is to change vpxd.certmgmt.mode from vmca to thumprint to add ESXi host.

If that doesn't help, add DCAdmins , DCClients and waiter- under CAAdmins SSO group .

These are created by default during installation or upgrade and add ESXi to VC with the vpxd.certmgmt.mode in vmca.

 

 

 

 



Additional Information

Powered by Wolken Software