Deploying a template with customization fails with the error: Authenticity of the host's SSL certificate is not verified
search cancel

Deploying a template with customization fails with the error: Authenticity of the host's SSL certificate is not verified

book

Article ID: 313995

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

When you are updating or regenerating the default certificates on the host using the vCenter Server Appliance, you experience these symptoms:

  • You are unable to deploy a virtual machine template using the Customize option.
  • Deploying the same template without selecting Customize is successful.
  • In the /var/log/vmware/vpx/vpxd.log file, you see entries similar to:

    <YYYY-MM-DD>T<time>Z [7FCCC90C6700 warning 'Default' opID=8BE0319D-00003357-e7-22] SSL Error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed</time>
    -->
    <YYYY-MM-DD>T<time>Z [7FCCC90C6700 warning 'Default' opID=8BE0319D-00003357-e7-22] SSL: connect failed</time>
    -->
    <YYYY-MM-DD>T<time>Z [7FCCC90C6700 error 'provisioningvpxNfcClient' opID=8BE0319D-00003357-e7-22] [VpxNfcClient] Unable to connect to NFC server: The remote host certificate has these problems:</time>
    -->
    --> * unable to get local issuer certificate
    <YYYY-MM-DD>T<time>Z [7FCCC90C6700 info 'Default' opID=8BE0319D-00003357-e7-22] [VmCustomizer] Successfully deleted file/directory /tmp/imcf-QdjBkH</time>
    <YYYY-MM-DD>T<time>Z [7FCCC90C6700 error 'VmProv' opID=8BE0319D-00003357-e7-22] [Workflow] Get exception while executing action vpx.vmprov.CustomizeVm: vim.fault.SSLVerifyFault</time>
    --> backtrace[00] rip 00007fccdcf31fa4 Vmacore::System::Stacktrace::CaptureWork(unsigned int)
    --> backtrace[01] rip 00007fccdce1c0c2 Vmacore::System::SystemFactoryImpl::CreateQuickBacktrace(Vmacore::Ref<Vmacore::System::Backtrace>&)
    --> backtrace[02] rip 00007fccdcd7d835 Vmacore::Throwable::Throwable(std::string const&)
    --> backtrace[03] rip 00007fcce4023dc9 Vmomi::MethodFault::Exception::Exception(Vmomi::MethodFault*)
    --> backtrace[04] rip 00007fcce4c0c0e5 /usr/lib/vmware-vpx/vpxd(+0x1abe0e5) [0x7fcce4c0c0e5]
    --> backtrace[05] rip 00007fcce4248473 /usr/lib/vmware-vpx/vpxd(+0x10fa473) [0x7fcce4248473]
    --> backtrace[06] rip 00007fcce42508d8 /usr/lib/vmware-vpx/vpxd(+0x11028d8) [0x7fcce42508d8]
    --> backtrace[07] rip 00007fcce56f353a /usr/lib/vmware-vpx/vpxd(+0x25a553a) [0x7fcce56f353a]
    --> backtrace[08] rip 00007fcce569d2b6 /usr/lib/vmware-vpx/vpxd(+0x254f2b6) [0x7fcce569d2b6]
    --> backtrace[09] rip 00007fcce569d6a3 /usr/lib/vmware-vpx/vpxd(+0x254f6a3) [0x7fcce569d6a3]
    --> backtrace[10] rip 00007fcce550f298 /usr/lib/vmware-vpx/vpxd(+0x23c1298) [0x7fcce550f298]


Cause

This issue occurs when a host's SSL thumbprint varies from the expected_ssl_thumbprint field within the VPX_HOST table of the vCenter Server database.

Resolution

This is a known issue. Currently, there is no resolution.
 
To work around this issue, locate the host entity within the VPX_HOST table of the vCenter Server database and replace the expected_ssl_thumbprint with the value from host_ssl_thumbprint.
 
Caution: This process involves modification of the vCenter Server database, ensure to take a snapshot of the vCenter Server Appliance before proceeding.
 
To replace the expected_ssl_thumbprint with the value from host_ssl_thumbprint:
 
  1. Stop the VMware VirtualCenter Server service. For more information, see Stopping, starting, or restarting vCenter Server Appliance services (2054085).

    Note: Before stopping the service, VMware recommends to log in to vCenter Server using the vSphere Client and identify the current ESXi host in which the vCenter Server Appliance is running.
     
  2. Connect to the ESXi host using the vSphere Client in which the vCenter Server Appliance is running and take a snapshot of the appliance.
  3. Log in to the vCenter Server Appliance as root using SSH.
  4. Run this command to connect to the vCenter Server embedded database:

    sudo /opt/vmware/vpostgres/1.0/bin/psql -d VCDB vc
     
  5. Run this command to display the required contents of the VPX_HOST table:

    Select id, dns_name, host_ssl_thumbprint, expected_ssl_thumbprint from vpx_host;
     
  6. Identify any mismatches between the host_ssl_thumprint and expected_ssl_thumbprint fields and make note of the dns_name field.
  7. For each mismatched entry, run this command to replace dnsname with the name notated from the dns_name field in step 6:

    UPDATE VPX_HOST SET expected_ssl_thumbprint = host_ssl_thumbprint WHERE DNS_NAME = 'dnsname';
     
  8. Run this command to quit:

    \q
     
  9. Start the VMware VirtualCenter Server service. For more information, see Stopping, starting, or restarting vCenter Server Appliance services (2054085).
  10. Restart the clone process.
  11. If the clone process is successful, remove the snapshot from the vCenter Server Appliance.


Additional Information

To be alerted when this document is updated, click the Subscribe to Article link in the Actions box

How to stop, start, or restart vCenter Server services
How to stop, start, or restart vCenter Server Appliance 5.x services