HCX - Mobility Agent deployment fails with vCenter certificate management set to "custom" mode
Article ID: 316379
Updated On:
Products
VMware HCX
Issue/Introduction
Identify a known limitation and provide an alternative method for HCX deployment.
Symptoms:
Symptoms:
HCX Service Mesh configuration workflow fails deploy Mobility Agent (MA) virtual host with error message:
applianceLifecycyle job failed | intercocnnectConfigMA failed |error Adding Mobility Agent Host failed |SSL Exception.
From the vCenter Monitor Tasks, the HCX attempt to deploy MA host failing at ~80%
This issue will not impact the deployment of HCX Interconnect (IX) and Network Extension (NE) appliances.
vCenter vpxd logs will show the following error message:
ERROR c.v.v.h.s.i.InterconnectConfigureMA- Task task-124498 error out, error : A general system error occurred: SSL Exception: Verification parameters: PeerThumbprint: A3:04:3B:CC:3D:1B:18:5B:DB:9B:E9:B2:57:D6:E4:88:39:4E:C2:B1 ExpectedThumbprint: ExpectedPeerName: 10.1.1.1 The remote host certificate has these problems: * Host name does not match the subject name(s) in certificate. * unable to get local issuer certificate com.vmware.vim.binding.vmodl.fault.SystemError: A general system error occurred: SSL Exception: Verification parameters: PeerThumbprint: A3:04:3B:CC:3D:1B:18:5B:DB:9B:E9:B2:57:D6:E4:88:39:4E:C2:B1 ExpectedThumbprint: ExpectedPeerName: 10.1.1.1 The remote host certificate has these problems: * Host name does not match the subject name(s) in certificate.
Cause
The issue will occur if vCenter is configured with Certificate Management policy set to "Custom" mode "vpxd.certmgmt.mode"
HCX MA virtual host must be added by HCX Manger into vCenter but since the IX appliance uses self-signed certificate, vCenter will reject the addition of the MA into the cluster.
HCX MA virtual host must be added by HCX Manger into vCenter but since the IX appliance uses self-signed certificate, vCenter will reject the addition of the MA into the cluster.
Resolution
HCX MA deployment in a vCenter environment with Certificate Management set to "Custom" mode is NOT supported.
Alternatively the recommended workaround can be implemented and that has been thoroughly verified, yet it has some restrictions for persistency.
Support for the the implementation of the workaround is provided as a best effort.
Workaround:
Alternatively the recommended workaround can be implemented and that has been thoroughly verified, yet it has some restrictions for persistency.
Support for the the implementation of the workaround is provided as a best effort.
Workaround:
The following procedure will replace the IX appliance certificate and key.
It will have to be performed for each Interconnect appliance that is deployed in a vCenter with 'custom' certificate management.
- SSH into the HCX Manager as 'admin'
- Enable CCLI mode
- LIST the appliances and GO <appliance_ID> into the IX appliance
- SSH to drop into the linux prompt
- Change directory to /etc/vmware/ssl
- Backup certificate files:
mv rui.crt rui.crt.bak mv rui.key rui.key.bak
- Replace the files with the custom CA cert and key
- Reboot the IX appliance or restart the MA and authentication services
stc restart mobilityagent stc restart authdlauncher
- From the HCX Interconnect UI, re-sync the Service Mesh to trigger the MA deployment
IMPORTANT: This workaround will not be persistent if the Service Mesh is re-sync'ed or after service updates. The same procedure will have to be performed to re-deploy the MA again.
The following considerations should be taken into account:
- As this is a custom CA cert to be trusted by vCenter, it must be generated in the same manner that the existing ESXi host certificates have been generated for this environment.
- Ensure the 'CN' and 'SAN' fields of the certificate contain the IP address that is intended to be used for the management IP of the IX appliance.
- If the certificate generated by the CA is provided as a cert.pem file, make sure the certificate chain (including target, intermediate, and root certificates) and private key aspects are separated into the rui.cert and rui.key files.
Additional Information
Refer to the following VMware KB articles for more information on how to request and configure CA signed certificates for ESXi hosts
Impact/Risks:
The failure to deploy the MA will disable HCX Cold, vMotion, and RAV migration services.
VR Bulk migrations and DR Protections do not require MA.
There is no risk in implementing the recommended workaround as there is no impact to Network Extension services.
Impact/Risks:
The failure to deploy the MA will disable HCX Cold, vMotion, and RAV migration services.
VR Bulk migrations and DR Protections do not require MA.
There is no risk in implementing the recommended workaround as there is no impact to Network Extension services.
Feedback
Yes
No
Powered by
