Adding an ESXi host to the vCenter Appliance prompts the following error: "does not contain the root certificate chain"
search cancel

Adding an ESXi host to the vCenter Appliance prompts the following error: "does not contain the root certificate chain"

book

Article ID: 310571

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

  • Attempt to refresh certificate on ESXi host fails
  • vpxd.log

    YYYY-MM-DD HH:MM:SS info vpxd[05004] [Originator@6876 sub=vpxLro opID=########-####-####-####-########6943-4515-ngc-a] [VpxLRO] -- FINISH task-6155674
    YYYY-MM-DD HH:MM:SS info vpxd[05004] [Originator@6876 sub=Default opID=########-####-####-####-########6943-4515-ngc-a] [VpxLRO] -- ERROR task-6155674 -- certificateManager -- vim.CertificateManager.refreshCertificates: vmodl.fault.SystemError:
    --> Result:
    --> (vmodl.fault.SystemError) {
    --> faultCause = (vmodl.MethodFault) null,
    --> reason = "Unable to get root certificates from VECS
    --> ",
    --> msg = ""
    --> }
    --> Args:
    -->
    --> Arg host:
    --> (ManagedObjectReference) [
    --> 'vim.HostSystem:########-####-####-####-########C211:host-257606'
    --> ]
    YYYY-MM-DD HH:MM:SS warning vpxd[17804] [Originator@6876 sub=VpxProfiler opID=HB-host-178749@295325-5fc97204] [VpxdHostSync] GetChanges host:<FQDN> [GetChangesTime] took 22346 ms

    YYYY-MM-DD HH:MM:SS info vpxd[11192] [Originator@6876 sub=vpxLro opID=4c33e800] [VpxLRO] -- BEGIN task-internal-24069173 -- PerfMgr -- vim.PerformanceManager.queryProviderSummary -- ########-####-####-####-########47e2(########-####-####-####-########9972)2017-02-27T09:54:15.759-07:00 info vpxd[11192] [Originator@6876 sub=vpxLro opID=4c33e800] [VpxLRO] -- FINISH task-internal-24069173

    YYYY-MM-DD HH:MM:SS error vpxd[10620] [Originator@6876 sub=Main opID=########-####-####-####-########6943-4515-ngc-a-SWI-2ee5ebae] [Vpxd::VecsUtil::GetCertsFromStore] Unable to enumerate trusted roots from VECS localhost. error: 87

    YYYY-MM-DD HH:MM:SS error vpxd[18384] [Originator@6876 sub=Default opID=e05aa03] [VdbStatement] Execute result code: -1



    Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.



Environment

VMware vCenter Server Appliance 6.x
VMware vCenter Server 6.0.x
VMware vSphere ESXi 6.0

Cause

  • VECS can contain maximum of 22 certificates.
  • If the root certificate of the ESXi Server (Custom or vmca) is not available on the TRUSTED_ROOTS store

Resolution

To resolve this issue:

  1. Ensure we have full backup of the environment.
  2. Then follow the instruction provided on the below KB to unpublish the certs which is old and stale.

    Removing/unpublishing the stale and old certs from vecs cli store

  3. Make sure the root certificate and Intermediate certificate is available in the VECS store
     



Powered by Wolken Software