Adding ESXi host to vCenter fails with error "Unable to get signed certificate for host name 'xx' ip 'xx': Error: Operation failed with error = ERROR_ACCESS_DENIED (5)".
search cancel

Adding ESXi host to vCenter fails with error "Unable to get signed certificate for host name 'xx' ip 'xx': Error: Operation failed with error = ERROR_ACCESS_DENIED (5)".

book

Article ID: 303166

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

  • Unable to add ESXi to Virtual Center.
"Unable to get signed certificate for host name '##' ip '##': Error: Operation failed with error = ERROR_ACCESS_DENIED (5)".
  • vpxd.certmgmt.mode is vmca . If we change to thumprint we would be able to add ESXi.
  • Tried adding ESXi to VC with vpxd.certmgmt.mode on thumbprint and then changed the vpxd.certmgmt.mode to vmca and Renew Certificate for ESXi . Still same issue and it does not get certificate issues by vmca.
  • vpxd.log

2017-09-06T15:14:57.469Z info vpxd[7F23C5425700] [Originator@6876 sub=InvtHostCnx opID=AddHostWizard-add-682626-ngc-15] [VpxdInvtHostCnx] SSLVerifyException: Untrusted certificate found on host <esxihostname> Pushing new certificate...
2017-09-06T15:14:57.504Z info vpxd[7F23AB8F1700] [Originator@6876 sub=vpxLro opID=dam-auto-generated: GenerationNumbersMonitor:dr-81:01-57] [VpxLRO] -- BEGIN lro-13752100 -- ResourceModel -- cis.data.provider.ResourceModel.query -- 52b

2017-09-06T15:14:58.218Z info vpxd[7F23C5425700] [Originator@6876 sub=Vsan opID=AddHostWizard-add-682626-ngc-15] Destroying VSAN dynamic MOs for host-ID.
2017-09-06T15:14:58.220Z info vpxd[7F23C480D700] [Originator@6876 sub=licenseClient opID=AddHostWizard-add-682626-ngc-15-LicenseClientUnregisterHostAsync-413
12d8c] Unregister host: 'host-ID'
2017-09-06T15:14:58.251Z info vpxd[7F23C5425700] [Originator@6876 sub=vpxLro opID=AddHostWizard-add-682626-ngc-15] [VpxLRO] -- FINISH task-290806
2017-09-06T15:14:58.251Z info vpxd[7F23C5425700] [Originator@6876 sub=Default opID=AddHostWizard-add-682626-ngc-15] [VpxLRO] -- ERROR task-290806 -- group-h4
-- vim.Folder.addStandaloneHost: vmodl.fault.SystemError:
--> Result:
--> (vmodl.fault.SystemError) {
--> faultCause = (vmodl.MethodFault) null,
--> faultMessage = <unset>,
--> reason = "Unable to get signed certificate forhost name 'esxihostname' ip '###': Error: Operation failed with error = ERROR_ACCESS_DENIED (5) (5)"
--> msg = ""

  •  vmcad-syslog.log (in 7.0 this is in vmcad.log)
17-09-06T15:14:58.161380+00:00 info vmcad t@140635667420928: Checking upn: cn=CAAdmins,cn=Builtin,dc=vsphere,dc=local against CA admin group:[email protected]

17-09-06T15:14:58.161832+00:00 info vmcad t@140635667420928: Checking user's group: cn=DCClients,cn=Builtin,dc=vsphere,dc=local against CA admin group: cn=CAAdmins,cn=Builtin,dc=vsphere,dc=local
17-09-06T15:14:58.162232+00:00 warning vmcad t@140635667420928: error code: 0x00000005
17-09-06T15:14:58.162680+00:00 warning vmcad t@140635667420928: error code: 0x00000005
17-09-06T15:14:58.163033+00:00 warning vmcad t@140635667420928: error code: 0x00000005

  • We noticed no users were listed under SSO groups for CAAdmins .
 
 



Environment

VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server 6.7.x
VMware vCenter Server 6.x
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server 6.5.x
VMware vCenter Server 7.0x

Cause

The user this was attempted with was not a member of CAAdmins.

Resolution

First option is to change vpxd.certmgmt.mode from vmca to thumprint to add ESXi host.

If that doesn't help, add DCAdmins , DCClients and waiter- under CAAdmins SSO group .

These are created by default during installation or upgrade and add ESXi to VC with the vpxd.certmgmt.mode in vmca.

 

 

 

 



Additional Information

Powered by Wolken Software