Failed to add server certificate on Trust Authority hosts after renewing certificates from KMS side.

search cancel

Failed to add server certificate on Trust Authority hosts after renewing certificates from KMS side.

book

Article ID: 312108

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

To provide a workaround when encountered the issue of com.vmware.vcenter.trusted_infrastructure.cluster.inconsistent_state, this error can be hit if user try to modify the Trust Authority server certs when the cluster is in inconsistent state.

Symptoms:

When try the command Add-TrustAuthorityKeyProviderServerCertificate, it will meet the error of "com.vmware.vcenter.trusted_infrastructure.cluster.inconsistent_state"

Environment

VMware vSphere PowerCLI 13.0
VMware vSphere PowerCLI 12.0

Cause

The external update of the KMS certs may cause inconsistency in server certificates configured on different trust authority hosts. And the cluster will be treated as inconsistent state under such condition, then some server certs related command (like Add-TrustAuthorityKeyProviderServerCertificate) may fail.

Resolution

Fix the server certificates on the trust authority hosts, reconfigure them to make them consistent.

Workaround:

Run Get-TrustAuthorityKeyProviderServerCertificate command to get current server cert of the current key provider, and then use Set-TrustAuthorityKeyProviderServerCertificate command to set the obtained certs to the trust authority hosts.

Feedback

thumb_up Yes

thumb_down No