SDDC Precheck failure with Error when getting VIM Client for ESXi host with id - xxxxxxxxxxxxx
search cancel

SDDC Precheck failure with Error when getting VIM Client for ESXi host with id - xxxxxxxxxxxxx

book

Article ID: 316010

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

  • SDDC Manager precheck error at ESXi VIM Connection 
    Error when getting VIM client for ESX host with id . xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx8271
  • Error in /var/log/vmware/vcf/operationsmanager/operationsmanager.log 
    ERROR [vcf_om, df87fa297afc908d, cfdf] [c.v.e.s.c.c.v.vsphere. VaphereClient, om-exec-22] Failed to connect to https://esxi-example.com:443/sdk
com.vmware.vim.vmomi.client.exception.SslException:javax.net.991.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPah.BuilderException: unable to find valid certification path to requested target



Cause

The following can be 2 of the multiple reasons for the ESXI VIM connection precheck error in SDDC
  • SDDC Manager is unable to validate the certificate chain for the host
  • The vCenter certificate has changed outside of SDDC and the SDDC Manager is still referencing the old root certificate.

Resolution

  1. Check vCenter certificate status
    1. SSH to vCenter with root
    2. Run the below command 
      for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;
  2. If vCenter server certificate was expired and renewed outside of SDDC then import the root certificate of vCenter server in SDDC - refer How to import the vCenter root certificate into the SDDC manager TrustStore
  3. Re-run the precheck from SDDC Manager
Powered by Wolken Software