Adding an ESXi host to the vCenter Appliance prompts the following error: "does not contain the root certificate chain"
search cancel

Adding an ESXi host to the vCenter Appliance prompts the following error: "does not contain the root certificate chain"

book

Article ID: 310571

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

Symptoms:

 

 

  • Attempt to refresh certificate on ESXi host fails
 

 

  • In the ProgramData/VMware/vCenterServer/logs/vmware-vpx/vpxd.log file,you see entries similar to:


    2017-02-27T09:54:16.096-07:00 info vpxd[05004] [Originator@6876 sub=vpxLro opID=de88b6f6-183a-459e-a5f9-bb83a30b6943-4515-ngc-a] [VpxLRO] -- FINISH task-6155674
    2017-02-27T09:54:16.096-07:00 info vpxd[05004] [Originator@6876 sub=Default opID=de88b6f6-183a-459e-a5f9-bb83a30b6943-4515-ngc-a] [VpxLRO] -- ERROR task-6155674 -- certificateManager -- vim.CertificateManager.refreshCertificates: vmodl.fault.SystemError:
    --> Result:
    --> (vmodl.fault.SystemError) {
    --> faultCause = (vmodl.MethodFault) null,
    --> reason = "Unable to get root certificates from VECS
    --> ",
    --> msg = ""
    --> }
    --> Args:
    -->
    --> Arg host:
    --> (ManagedObjectReference) [
    --> 'vim.HostSystem:50E67513-DD1F-4E7C-B39D-E7AD1F33C211:host-257606'
    --> ]
    2017-02-27T09:54:16.101-07:00 warning vpxd[17804] [Originator@6876 sub=VpxProfiler opID=HB-host-178749@295325-5fc97204] [VpxdHostSync] GetChanges host:<FQDN> [GetChangesTime] took 22346 ms

    2017-02-27T09:54:15.759-07:00 info vpxd[11192] [Originator@6876 sub=vpxLro opID=4c33e800] [VpxLRO] -- BEGIN task-internal-24069173 -- PerfMgr -- vim.PerformanceManager.queryProviderSummary -- 5276e3e3-7aff-4aeb-bc66-ee42317947e2(52de4b75-285d-d7bb-43b0-a12766959972)2017-02-27T09:54:15.759-07:00 info vpxd[11192] [Originator@6876 sub=vpxLro opID=4c33e800] [VpxLRO] -- FINISH task-internal-24069173

    2017-02-27T09:54:15.762-07:00 error vpxd[10620] [Originator@6876 sub=Main opID=de88b6f6-183a-459e-a5f9-bb83a30b6943-4515-ngc-a-SWI-2ee5ebae] [Vpxd::VecsUtil::GetCertsFromStore] Unable to enumerate trusted roots from VECS localhost. error: 87

    2017-02-27T09:54:15.763-07:00 error vpxd[18384] [Originator@6876 sub=Default opID=e05aa03] [VdbStatement] Execute result code: -1

    Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.


Environment

VMware vCenter Server Appliance 6.0.x
VMware vCenter Server 6.0.x
VMware vSphere ESXi 6.0

Cause

This issue occurs because VECS can only contain 22 certificates. This leads to an error adding an ESXi host to an appliance as it does no contain root certificate

Resolution

To resolve this issue:
  1. Ensure we have full backup of the environment.
     
  2. Use vecs-cli and export the data to a file:

    C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli.exe

    vecs-cli entry list --store TRUSTED_ROOTS > root-cert.txt

    Determine which old/stale certs we can delete. For each cert that can be deleted, copy them to individual text files and save.

    Note: The certificates shown in this example are truncated for ease of reading with the text added to the right indicating the order in which the certificates should be pasted into the file. Do not copy this example. Ensure there are no spaces before or after any of the -----BEGIN CERTIFICATE----- or -----END CERTIFICATE----- lines.
    for example

    Alias : 8c506cc3806315ad8e1826464d168ff55ec67bfd
    Entry type : Trusted Cert
    Certificate : -----BEGIN CERTIFICATE-----
    MIIEgTCCA2mgAwIBAgIJAJAWCHNRpXpAMA0GCSqGSIb3DQEBCwUAMIGCMRUwEwYD
    VQQKDAxWTXdhcmUsIEluYy4xKDAmBgNVBAsMH3ZDZW50ZXJTZXJ2ZXJfMjAxNi4w
    NC4yNl8wNTU2NTIxHDAaBgNVBAMME3h0Z2FwNHZjMDEueHQubG9jYWwxITAfBgkq
    hkiG9w0BCQEWEnN1cHBvcnRAdm13YXJlLmNvbTAeFw0xNjA0MjYxMjAxMTNaFw0y
    NjA0MjQxMjAxMTNaMIGCMRUwEwYDVQQKDAxWTXdhcmUsIEluYy4xKDAmBgNVBAsM
    H3ZDZW50ZXJTZXJ2ZXJfMjAxNi4wNC4yNl8wNTU2NTIxHDAaBgNVBAMME3h0Z2Fw
    NHZjMDEueHQubG9jYWwxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAdm13YXJlLmNv
    bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqZNTrh/snZyOcWq/aa
    wYPy8b5FEFgjYmCDwvvXPz94jpbzhObG/qBL7ppCnVTTcAytQncXEJYXS0sef++B
    GYWybkX+aV++q9aegbanVDOnt6H6L5FXa3W183twDm85IG7w4qSa97JOgB5i2cP+
    7MORYWSzCLXswcDcZAXXh0u/G0ee077Q8nNFtu+SGDUOreieEsA1AifVvHC6HxNt
    XGh1CRX4Lydi5soc3izc3gcno9Sa0p6m/dpn6LUbVC3Pcop2PTu3aglk8udbrNim
    0hNR7gMeSFqNwxjljN1BG3PVnptWckcXTzJ+1JEwPB9j/LNUqlt1OeNqYihqy94I
    v1kCAwEAAaOB9zCB9DAdBgNVHQ4EFgQUxBVYjD7AyU6MakRY9jYC2LxBRgAwgbcG
    A1UdIwSBrzCBrIAUxBVYjD7AyU6MakRY9jYC2LxBRgChgYikgYUwgYIxFTATBgNV
    BAoMDFZNd2FyZSwgSW5jLjEoMCYGA1UECwwfdkNlbnRlclNlcnZlcl8yMDE2LjA0
    LjI2XzA1NTY1MjEcMBoGA1UEAwwTeHRnYXA0dmMwMS54dC5sb2NhbDEhMB8GCSqG
    SIb3DQEJARYSc3VwcG9ydEB2bXdhcmUuY29tggkAkBYIc1GlekAwDAYDVR0TBAUw
    AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQELBQADggEBAE5vbNyLyjaISz2G
    VRaUDoW8p1z9Vh5XAFmHk+tL0dNLBkjt9JkauwFGqEUPRB0Z3kDU3hEVbv8YYvzh
    Zd3M8JbFvjYK9bzhutlUMblA9ezlTSRKK9b0r5F5m3PYV+rFlvs5ewxbo0wdp4FA
    fzQ//Cv/Yz78+FOeqSmQH+8mcgv69f7T+Dfi/r1URCeCoJGiULLDxR9KJ4BR3Ssu
    ndVXQ66rRNy1xGUfw+nBMsxK6ifGJnXR+N3YDu9ZCmfI/+23U11ZQCDLJ3xd+Ect
    HMHzRBOco71FxQpweL5vXxgymGL127S59sOKubTYjdbfzIr3eybD3HoM8XboVRU3
    Efh3vks=
    -----END CERTIFICATE-----

     
  3. Copy the content from -----BEGIN CERTIFICATE----- till -----END CERTIFICATE----- to a text file and save it as cert#.crt
     
  4. Open the file using notepad.
     
  5. Copy this contents:

    -----BEGIN CERTIFICATE-----
    MIIEgTCCA2mgAwIBAgIJAJAWCHNRpXpAMA0GCSqGSIb3DQEBCwUAMIGCMRUwEwYD
    VQQKDAxWTXdhcmUsIEluYy4xKDAmBgNVBAsMH3ZDZW50ZXJTZXJ2ZXJfMjAxNi4w
    NC4yNl8wNTU2NTIxHDAaBgNVBAMME3h0Z2FwNHZjMDEueHQubG9jYWwxITAfBgkq
    hkiG9w0BCQEWEnN1cHBvcnRAdm13YXJlLmNvbTAeFw0xNjA0MjYxMjAxMTNaFw0y
    NjA0MjQxMjAxMTNaMIGCMRUwEwYDVQQKDAxWTXdhcmUsIEluYy4xKDAmBgNVBAsM
    H3ZDZW50ZXJTZXJ2ZXJfMjAxNi4wNC4yNl8wNTU2NTIxHDAaBgNVBAMME3h0Z2Fw
    NHZjMDEueHQubG9jYWwxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAdm13YXJlLmNv
    bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqZNTrh/snZyOcWq/aa
    wYPy8b5FEFgjYmCDwvvXPz94jpbzhObG/qBL7ppCnVTTcAytQncXEJYXS0sef++B
    GYWybkX+aV++q9aegbanVDOnt6H6L5FXa3W183twDm85IG7w4qSa97JOgB5i2cP+
    7MORYWSzCLXswcDcZAXXh0u/G0ee077Q8nNFtu+SGDUOreieEsA1AifVvHC6HxNt
    XGh1CRX4Lydi5soc3izc3gcno9Sa0p6m/dpn6LUbVC3Pcop2PTu3aglk8udbrNim
    0hNR7gMeSFqNwxjljN1BG3PVnptWckcXTzJ+1JEwPB9j/LNUqlt1OeNqYihqy94I
    v1kCAwEAAaOB9zCB9DAdBgNVHQ4EFgQUxBVYjD7AyU6MakRY9jYC2LxBRgAwgbcG
    A1UdIwSBrzCBrIAUxBVYjD7AyU6MakRY9jYC2LxBRgChgYikgYUwgYIxFTATBgNV
    BAoMDFZNd2FyZSwgSW5jLjEoMCYGA1UECwwfdkNlbnRlclNlcnZlcl8yMDE2LjA0
    LjI2XzA1NTY1MjEcMBoGA1UEAwwTeHRnYXA0dmMwMS54dC5sb2NhbDEhMB8GCSqG
    SIb3DQEJARYSc3VwcG9ydEB2bXdhcmUuY29tggkAkBYIc1GlekAwDAYDVR0TBAUw
    AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQELBQADggEBAE5vbNyLyjaISz2G
    VRaUDoW8p1z9Vh5XAFmHk+tL0dNLBkjt9JkauwFGqEUPRB0Z3kDU3hEVbv8YYvzh
    Zd3M8JbFvjYK9bzhutlUMblA9ezlTSRKK9b0r5F5m3PYV+rFlvs5ewxbo0wdp4FA
    fzQ//Cv/Yz78+FOeqSmQH+8mcgv69f7T+Dfi/r1URCeCoJGiULLDxR9KJ4BR3Ssu
    ndVXQ66rRNy1xGUfw+nBMsxK6ifGJnXR+N3YDu9ZCmfI/+23U11ZQCDLJ3xd+Ect
    HMHzRBOco71FxQpweL5vXxgymGL127S59sOKubTYjdbfzIr3eybD3HoM8XboVRU3
    Efh3vks=
    -----END CERTIFICATE-----
     
  6. Save as type as All Files (*.*).
     
  7. Save the file name.

    Example: cert1.crt
     
  8. To unregister the old stale cert, use C:\Program Files\VMware\vCenter Server\vmafdd\dir-cli.exe for each cert file:

    dir-cli.exe trustedcert unpublish --cert cert1.crt
     
  9. Repeat step 1 to 8 for each cert.
     
  10. Re-add the hosts.


Additional Information

Error "Unable to enumerate and validate the root certificates from the TRUSTED_ROOTS VECS store" while upgrading to vSphere 6.7 
ESXi ホストを vCenter Appliance に追加すると、次のエラーが表示される:「ルート証明書 チェーンが含まれていません」 ("does not contain the root certificate chain")

Powered by Wolken Software