ESXi certificate renewal failed with error, A general system error occurred: Unable to get CSR from host "hostname"

search cancel

ESXi certificate renewal failed with error, A general system error occurred: Unable to get CSR from host "hostname"

book

Article ID: 310686

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

vCenter UI reports similar error,
A general system error occurred: Unable to get CSR from host
On Esxi we see following error reported.
/var/run/log/hostd.log

YYYY-MM-DDTHH:MM:SS.#### info hostd[32B82B70] [Originator@6876 sub=Vimsvc.TaskManager opID=HostCertificateCommandUtil-applyOnMultiEntity-13059-ngc-aa-SWI-666639ce-9bf0 user=vpxuser] Task Created : haTask--vim.host.CertificateManager.generateCertificateSigningRequestByDn-1769388
YYYY-MM-DDTHH:MM:SS.#### error hostd[3039FB70] [Originator@6876 sub=Vimsvc.CertMgr opID=HostCertificateCommandUtil-applyOnMultiEntity-13059-ngc-aa-SWI-666639ce-9bf0 user=vpxuser] GenerateCertificateSigningRequestByDn failed with error: Unable to parse subject name
YYYY-MM-DDTHH:MM:SS.#### info hostd[3039FB70] [Originator@6876 sub=Default opID=HostCertificateCommandUtil-applyOnMultiEntity-13059-ngc-aa-SWI-666639ce-9bf0 user=vpxuser] AdapterServer caught exception: vim.fault.HostConfigFault
YYYY-MM-DDTHH:MM:SS.#### info hostd[3039FB70] [Originator@6876 sub=Vimsvc.TaskManager opID=HostCertificateCommandUtil-applyOnMultiEntity-13059-ngc-aa-SWI-666639ce-9bf0 user=vpxuser] Task Completed : haTask--vim.host.CertificateManager.generateCertificateSigningRequestByDn-1769388 Status error
YYYY-MM-DDTHH:MM:SS.#### info hostd[3039FB70] [Originator@6876 sub=Solo.Vmomi opID=HostCertificateCommandUtil-applyOnMultiEntity-13059-ngc-aa-SWI-666639ce-9bf0 user=vpxuser] Activation [N5Vmomi10ActivationE:0x3153cdb0] : Invoke done [generateCertificateSigningRequestByDn] on [vim.host.CertificateManager:ha-certificate-manager]
YYYY-MM-DDTHH:MM:SS.#### verbose hostd[3039FB70] [Originator@6876 sub=Solo.Vmomi opID=HostCertificateCommandUtil-applyOnMultiEntity-13059-ngc-aa-SWI-666639ce-9bf0 user=vpxuser] Arg distinguishedName:
--> "/C=##/ST=/L=/O=########/OU=######/CN=######/emailAddress=##@#####.###"

Environment

VMware vCenter Server 7.x
VMware vCenter Server 8.x
VMware vSphere Esxi 7.x
VMware vSphere Esxi 8.x

Cause

This issue arises when the certificate signing request (CSR) sent to the VMCA contains empty or missing fields in its distinguished name attributes.

In the example, the "State" and "Locality" values are blank:

/C=##/ST=/L=/O=########/OU=#######/CN=########/emailAddress=####@######.###"

Resolution

In the vSphere Client, select the vCenter Server system that manages the hosts.
Click Configure, and click Advanced Settings.
Click Edit Settings.
Click the Filter icon in the Name column, and in the Filter box, enter vpxd.certmgmt.certs to display only certificate management parameters.
Set values for following parameters to follow your company policy and click Save.(These parameters should not be empty)

vpxd.certmgmt.certs.cn.country

vpxd.certmgmt.certs.cn.email

vpxd.certmgmt.certs.cn.localityName

vpxd.certmgmt.certs.cn.organizationalUnitName

vpxd.certmgmt.certs.cn.organizationName

vpxd.certmgmt.certs.cn.state
The next time you add a host to vCenter Server, the new settings are used in the CSR that vCenter Server sends to VMCA and in the certificate that is assigned to the host.

Additional Information

For Custom certs refer: Generating Certificate or Certificate Signing Request for ESXi host with custom parameters using VCSA UI

Feedback

thumb_up Yes

thumb_down No