Exporting Log bundle of ESXi host from vCenter Server does not show the log type selection window to select the specific logs to export
search cancel

Exporting Log bundle of ESXi host from vCenter Server does not show the log type selection window to select the specific logs to export

book

Article ID: 313412

calendar_today

Updated On:

Products

VMware vCenter Server 7.0 VMware vCenter Server 8.0

Issue/Introduction

  • While trying to export logs for the selected host in vCenter using vSphere client UI, log type selection tree to select which logs need to be exported is not available.

  • Below screenshots shows the sample wizard for working and non-working hosts:

    Good Host:

    The Export System Logs wizard shows the log type selection window (mentioned in green box):



    Non-Working Host:

    In this scenario, the log type selection Window is missing.



  • Unable to perform the Step 5 (mentioned below) in document Export System Log Files

    "If the selected host supports manifest driven exports of system log files, select the system log files to collect. Select the specific system log files to download."


  • Certificate mode "vpxd.certmgmt.mode" on vCenter Server is set to "thumbprint", please refer Change the ESXi Certificate Mode for more details.

Cause

The CA certificates for the ESXi hosts might not be available in TRUSTED_ROOTS store of vCenter Server when "vpxd.certmgmt.mode" is set to "thumbprint" on vCenter Server. When try to export logs for the host attached to the VC using vSphere Client UI, internally envoy sidecar tries to verify the host certificate with the trusted root certificate and this operation fails. Due to this UI does not show a log tree (which helps the client to select log types need to be exported). 

Resolution

This is a known issue on vCenter Server 7.x & 8.x and currently there is no resolution.

Workaround:

To workaround the issue, perform any of below Options.

Option 1:

Export logs from the ESXi host directly rather than using vSphere Client UI.

Option 2:

vSphere UI will use the TRUSTED_ROOTS certificates store to trust the host certificates, this will work if the CA certificate that signed the ESX certificates are available in TRUSTED_ROOTS.

Publish the CA Certificates on vCenter Server by following below commands

  • Command to list the Certificates in TRUSTED_ROOTS

    /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS

  • Command to publish the CA Certificate to TRUSTED_ROOTS

    /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /tmp/CA_certificate.crt

    /usr/lib/vmware-vmafd/bin/vecs-cli force-refresh

Option 3:

Change the certificate mode (vpxd.certmgmt.mode) on vCenter Server to "vmca" or "custom" (with custom certificates listed in trusted_root certificates).

Important Note:

  • There are chances of communication issues between vCenter Server and ESXi hosts after changing certificate mode on vCenter Server. To avoid the host communication issues, please perform "Refresh CA," and "Renew certificate" for each host using vSphere Client or using PowerCLI after changing the Certificate Mode.
  • Sample script with PowerCLI method available in Additional Information section of this KB.
  • Please refer Renew or Refresh ESXi Certificates for more details on Refresh and Renew certificate operations.

 

Additional Information

Sample PowerCLI script to refresh ESXi host certificates.

#To use this script, pipe hostnames to it.
#first step is to import it:
#> . c:\path\to\script.ps1
#> get-cluster | get-vmhost | foreach {$_.Name} | refreshcerts
function refreshcerts
{
 Begin{

 
 }
 Process{
 Write-host "Processing $_"
 $hostid = Get-VMHost $_ | Get-View
 $hostParam = New-Object VMware.Vim.ManagedObjectReference[] (1)
 $hostParam[0] = New-Object VMware.Vim.ManagedObjectReference
 $hostParam[0].value = $hostid.moref.value
 $hostParam[0].type = 'HostSystem'
 $_this = Get-View -Id 'CertificateManager-certificateManager'
 $task = $_this.CertMgrRefreshCACertificatesAndCRLs_Task($hostParam)
 Wait-Task -Task $task
 $task = $_this.CertMgrRefreshCertificates_Task($hostParam)
 Wait-Task -Task $task
 }
 End{
 Start-Sleep -Seconds 10

 Write-host "Done"

 }
}