Adding an ESXi host to the vCenter Appliance prompts the following error: "does not contain the root certificate chain"
book
Article ID: 310571
calendar_today
Updated On:
Products
VMware vCenter Server
VMware vSphere ESXi
Show More
Show Less
Issue/Introduction
Symptoms:
Attempt to refresh certificate on ESXi host fails
In the ProgramData/VMware/vCenterServer/logs/vmware-vpx/vpxd.log file,
you see entries similar to:2017-02-27T09:54:16.096-07:00 info vpxd[05004] [Originator@6876 sub=vpxLro opID=########-####-####-####-########6943-4515-ngc-a] [VpxLRO] -- FINISH task-6155674 2017-02-27T09:54:16.096-07:00 info vpxd[05004] [Originator@6876 sub=Default opID=########-####-####-####-########6943-4515-ngc-a] [VpxLRO] -- ERROR task-6155674 -- certificateManager -- vim.CertificateManager.refreshCertificates: vmodl.fault.SystemError: --> Result: --> (vmodl.fault.SystemError) { --> faultCause = (vmodl.MethodFault) null, --> reason = "Unable to get root certificates from VECS --> ", --> msg = "" --> } --> Args: --> --> Arg host: --> (ManagedObjectReference) [ --> 'vim.HostSystem:########-####-####-####-########C211:host-257606' --> ] 2017-02-27T09:54:16.101-07:00 warning vpxd[17804] [Originator@6876 sub=VpxProfiler opID=HB-host-178749@295325-5fc97204] [VpxdHostSync] GetChanges host:<FQDN> [GetChangesTime] took 22346 ms 2017-02-27T09:54:15.759-07:00 info vpxd[11192] [Originator@6876 sub=vpxLro opID=4c33e800] [VpxLRO] -- BEGIN task-internal-24069173 -- PerfMgr -- vim.PerformanceManager.queryProviderSummary -- ########-####-####-####-########47e2(########-####-####-####-########9972)2017-02-27T09:54:15.759-07:00 info vpxd[11192] [Originator@6876 sub=vpxLro opID=4c33e800] [VpxLRO] -- FINISH task-internal-24069173 2017-02-27T09:54:15.762-07:00 error vpxd[10620] [Originator@6876 sub=Main opID=########-####-####-####-########6943-4515-ngc-a-SWI-2ee5ebae] [Vpxd::VecsUtil::GetCertsFromStore] Unable to enumerate trusted roots from VECS localhost. error: 87 2017-02-27T09:54:15.763-07:00 error vpxd[18384] [Originator@6876 sub=Default opID=e05aa03] [VdbStatement] Execute result code: -1 Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Environment
VMware vCenter Server Appliance 6.0.x VMware vCenter Server 6.0.x VMware vSphere ESXi 6.0
Cause
This issue occurs because VECS can only contain 22 certificates. This leads to an error adding an ESXi host to an appliance as it does no contain root certificate
Resolution
To resolve this issue:
Ensure we have full backup of the environment. Use vecs-cli and export the data to a file: C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli.exe vecs-cli entry list --store TRUSTED_ROOTS > root-cert.txt Determine which old/stale certs we can delete. For each cert that can be deleted, copy them to individual text files and save. Note: The certificates shown in this example are truncated for ease of reading with the text added to the right indicating the order in which the certificates should be pasted into the file. Do not copy this example. Ensure there are no spaces before or after any of the -----BEGIN CERTIFICATE----- or -----END CERTIFICATE----- lines. for example Alias : 8c506cc3806315ad8e1826464d168ff55ec67bfd Entry type : Trusted Cert Certificate : -----BEGIN CERTIFICATE----- MIIEgTCCA2mgAwIBAgIJAJAWCHNRpXpAMA0GCSqGSIb3DQEBCwUAMIGCMRUwEwYD VQQKDAxWTXdhcmUsIEluYy4xKDAmBgNVBAsMH3ZDZW50ZXJTZXJ2ZXJfMjAxNi4w NC4yNl8wNTU2NTIxHDAaBgNVBAMME3h0Z2FwNHZjMDEueHQubG9jYWwxITAfBgkq hkiG9w0BCQEWEnN1cHBvcnRAdm13YXJlLmNvbTAeFw0xNjA0MjYxMjAxMTNaFw0y NjA0MjQxMjAxMTNaMIGCMRUwEwYDVQQKDAxWTXdhcmUsIEluYy4xKDAmBgNVBAsM H3ZDZW50ZXJTZXJ2ZXJfMjAxNi4wNC4yNl8wNTU2NTIxHDAaBgNVBAMME3h0Z2Fw NHZjMDEueHQubG9jYWwxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAdm13YXJlLmNv bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqZNTrh/snZyOcWq/aa wYPy8b5FEFgjYmCDwvvXPz94jpbzhObG/qBL7ppCnVTTcAytQncXEJYXS0sef++B GYWybkX+aV++q9aegbanVDOnt6H6L5FXa3W183twDm85IG7w4qSa97JOgB5i2cP+ 7MORYWSzCLXswcDcZAXXh0u/G0ee077Q8nNFtu+SGDUOreieEsA1AifVvHC6HxNt XGh1CRX4Lydi5soc3izc3gcno9Sa0p6m/dpn6LUbVC3Pcop2PTu3aglk8udbrNim 0hNR7gMeSFqNwxjljN1BG3PVnptWckcXTzJ+1JEwPB9j/LNUqlt1OeNqYihqy94I v1kCAwEAAaOB9zCB9DAdBgNVHQ4EFgQUxBVYjD7AyU6MakRY9jYC2LxBRgAwgbcG A1UdIwSBrzCBrIAUxBVYjD7AyU6MakRY9jYC2LxBRgChgYikgYUwgYIxFTATBgNV BAoMDFZNd2FyZSwgSW5jLjEoMCYGA1UECwwfdkNlbnRlclNlcnZlcl8yMDE2LjA0 LjI2XzA1NTY1MjEcMBoGA1UEAwwTeHRnYXA0dmMwMS54dC5sb2NhbDEhMB8GCSqG SIb3DQEJARYSc3VwcG9ydEB2bXdhcmUuY29tggkAkBYIc1GlekAwDAYDVR0TBAUw AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQELBQADggEBAE5vbNyLyjaISz2G VRaUDoW8p1z9Vh5XAFmHk+tL0dNLBkjt9JkauwFGqEUPRB0Z3kDU3hEVbv8YYvzh Zd3M8JbFvjYK9bzhutlUMblA9ezlTSRKK9b0r5F5m3PYV+rFlvs5ewxbo0wdp4FA fzQ//Cv/Yz78+FOeqSmQH+8mcgv69f7T+Dfi/r1URCeCoJGiULLDxR9KJ4BR3Ssu ndVXQ66rRNy1xGUfw+nBMsxK6ifGJnXR+N3YDu9ZCmfI/+23U11ZQCDLJ3xd+Ect HMHzRBOco71FxQpweL5vXxgymGL127S59sOKubTYjdbfzIr3eybD3HoM8XboVRU3 Efh3vks= -----END CERTIFICATE----- Copy the content from -----BEGIN CERTIFICATE----- till -----END CERTIFICATE----- to a text file and save it as cert#.crt Open the file using notepad. Copy this contents: -----BEGIN CERTIFICATE----- MIIEgTCCA2mgAwIBAgIJAJAWCHNRpXpAMA0GCSqGSIb3DQEBCwUAMIGCMRUwEwYD VQQKDAxWTXdhcmUsIEluYy4xKDAmBgNVBAsMH3ZDZW50ZXJTZXJ2ZXJfMjAxNi4w NC4yNl8wNTU2NTIxHDAaBgNVBAMME3h0Z2FwNHZjMDEueHQubG9jYWwxITAfBgkq hkiG9w0BCQEWEnN1cHBvcnRAdm13YXJlLmNvbTAeFw0xNjA0MjYxMjAxMTNaFw0y NjA0MjQxMjAxMTNaMIGCMRUwEwYDVQQKDAxWTXdhcmUsIEluYy4xKDAmBgNVBAsM H3ZDZW50ZXJTZXJ2ZXJfMjAxNi4wNC4yNl8wNTU2NTIxHDAaBgNVBAMME3h0Z2Fw NHZjMDEueHQubG9jYWwxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAdm13YXJlLmNv bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqZNTrh/snZyOcWq/aa wYPy8b5FEFgjYmCDwvvXPz94jpbzhObG/qBL7ppCnVTTcAytQncXEJYXS0sef++B GYWybkX+aV++q9aegbanVDOnt6H6L5FXa3W183twDm85IG7w4qSa97JOgB5i2cP+ 7MORYWSzCLXswcDcZAXXh0u/G0ee077Q8nNFtu+SGDUOreieEsA1AifVvHC6HxNt XGh1CRX4Lydi5soc3izc3gcno9Sa0p6m/dpn6LUbVC3Pcop2PTu3aglk8udbrNim 0hNR7gMeSFqNwxjljN1BG3PVnptWckcXTzJ+1JEwPB9j/LNUqlt1OeNqYihqy94I v1kCAwEAAaOB9zCB9DAdBgNVHQ4EFgQUxBVYjD7AyU6MakRY9jYC2LxBRgAwgbcG A1UdIwSBrzCBrIAUxBVYjD7AyU6MakRY9jYC2LxBRgChgYikgYUwgYIxFTATBgNV BAoMDFZNd2FyZSwgSW5jLjEoMCYGA1UECwwfdkNlbnRlclNlcnZlcl8yMDE2LjA0 LjI2XzA1NTY1MjEcMBoGA1UEAwwTeHRnYXA0dmMwMS54dC5sb2NhbDEhMB8GCSqG SIb3DQEJARYSc3VwcG9ydEB2bXdhcmUuY29tggkAkBYIc1GlekAwDAYDVR0TBAUw AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQELBQADggEBAE5vbNyLyjaISz2G VRaUDoW8p1z9Vh5XAFmHk+tL0dNLBkjt9JkauwFGqEUPRB0Z3kDU3hEVbv8YYvzh Zd3M8JbFvjYK9bzhutlUMblA9ezlTSRKK9b0r5F5m3PYV+rFlvs5ewxbo0wdp4FA fzQ//Cv/Yz78+FOeqSmQH+8mcgv69f7T+Dfi/r1URCeCoJGiULLDxR9KJ4BR3Ssu ndVXQ66rRNy1xGUfw+nBMsxK6ifGJnXR+N3YDu9ZCmfI/+23U11ZQCDLJ3xd+Ect HMHzRBOco71FxQpweL5vXxgymGL127S59sOKubTYjdbfzIr3eybD3HoM8XboVRU3 Efh3vks= -----END CERTIFICATE----- Save as type as All Files (*.*). Save the file name. Example: cert1.crt To unregister the old stale cert, use C:\Program Files\VMware\vCenter Server\vmafdd\dir-cli.exe for each cert file: dir-cli.exe trustedcert unpublish --cert cert1.crt Repeat step 1 to 8 for each cert. Re-add the hosts.
Feedback
thumb_up
Yes
thumb_down
No