HCX - Mobility Agent Host deployment failure
search cancel

HCX - Mobility Agent Host deployment failure

book

Article ID: 314205

calendar_today

Updated On:

Products

VMware HCX

Issue/Introduction

  • HCX-IX deployment fails to add Mobility Agent Host with error "Unable to push CA certificates and CRLs to host <ix-ip>"
  • The advanced configuration for vpxd.certmgmt.mode on vCenter is "vmca"
  • There are no expired certificates on vCenter and even no issues with vCenter or its certificates.

  • The following errors are observed in HCX logs : /common/logs/admin/app.log

    2023-11-########UTC [InterconnectService_SvcThread-56, SM:servicemesh-36d7bed4-3252-4bd1-b81f-########, IX:########-bc17-4345-a943-########, J:0803b241, , TxId: TxId: accf04e9-b3b7-4fc3-8802-########] ERROR c.v.v.h.s.i.InterconnectConfigureMA- Task task-264175 errored out, error : A general system error occurred: Unable to push CA certificates and CRLs to host <ix-ip>
  • The following logs are observed on HCX-IX : /var/log/vmware/mobilityagent.log

    2023-11-####181Z warning mobilityagent[02079] [Originator@6876 sub=Libs opID=TxId: 16d79ac9-b844-4d98-86af-########-f8-8302 user=vpxuser:VSPHERE.LOCAL\vcsa] SSL_CheckKeySizeAndAlgorithm: Certificate for '' uses unsafe digest algorithm (NID=65)
2023-11-####181Z error mobilityagent[02079] [Originator@6876 sub=Vimsvc.CertMgr opID=TxId: 16d79ac9-b844-4d98-86af-########-f8-8302 user=vpxuser:VSPHERE.LOCAL\vcsa] ReplaceCACertificatesAndCRLs failed with error: Weak digest algorithm/pkey used

     

  • The following logs are observed on vCenter logs : /var/log/vmware/vpxd/vpxd.log

    2023-11-#### info vpxd[45485] [Originator@6876 sub=Default opID=918b1e84-1358-4764-845b-f96d1b317a22-da] [VpxLRO] -- ERROR task-597525 -- group-h1003 -- vim.Folder.addStandaloneHost: vmodl.fault.SystemError: --> Result: --> (vmodl.fault.SystemError) { --> faultCause = (vmodl.MethodFault) null, --> faultMessage = <unset>, --> reason = "Unable to push CA certificates and CRLs to host <ix-ip>"

Environment

HCX 4.8
vCenter Server 7.x or earlier

Cause

During the Mobility Agent Host addition , vCenter is pushing weaker algorithm certificates and HCX-IX is rejecting it as it doesn't support weaker algorithm. So, the issue is getting triggered because of vCenter using weaker algorithm certificates like SHA1. 

Resolution

This issue is resolved in HCX 4.8.2.

Workaround:

  • Replace weaker certificates like SHA1 on vCenter with SHA256 certificates.

 

Additional Information

Run below command on vCSA SSH to check for any trusted weak SHA1 certs. 
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text | grep "Signature Algorithm:"

If vpxd.certmgmt.mode on vCenter is "custom" . Then follow Mobility Agent deployment fails with vCenter certificate management set to "custom" mode .
Weak signature algorithms (SHA1) are no longer supported in vCenter 8.0, so better to update them to SHA256.

Powered by Wolken Software