ESXi 6.5 host with secure boot enabled triggers "vSphere HA host status" alarm
search cancel

ESXi 6.5 host with secure boot enabled triggers "vSphere HA host status" alarm

book

Article ID: 316426

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Symptoms:
  • The ESXi 6.5 host with UEFI Secure Boot enabled when added newly to the HA enabled cluster triggers an vSphere HA host status alarm
  • You see an error similar to:

    Cannot install the vCenter Server agent service. Unknown installer error
    Alarm 'Host error' on 'IP address'
    triggered by event 14361 'Issue detected on ip_address in TEST-Datacenter: Secure Boot enabled: Cannot skip signature checks. Installing unsigned VIBs will prevent the system from booting.

     
  • In the /var/log/hostd.log file, you see entries similar to:
     
    2016-12-20T16:45:39.723Z info hostd[94159D0] [Originator@6876 sub=Vimsvc.ha-eventmgr] Event 33 : Issue detected on localhost.domain.local in ha-datacenter: Secure Boot enabled: Cannot skip signature checks. Installing unsigned VIBs will prevent the system from booting.
    2016-12-20T16:48:43.176Z info hostd[CA81B70] [Originator@6876 sub=Vimsvc.ha-eventmgr] Event 136 : Issue detected on localhost.domain.local in ha-datacenter: Secure Boot enabled: Cannot skip signature checks. Installing unsigned VIBs will prevent the system from booting.
  • In the /var/log/esxupdate.log file, you see entries similar to:
2016-12-13T10:40:57Z esxupdate: 70076: esxupdate: INFO: --- Command: update Args: ['update'] Options: {'meta': None, 'timeout': 30.0, 'loglevel': None, 'retry': 5, 'viburls': ['file:///tmp/VMware_bootbank_vmware-fdm_6.5.0-4602587.vib'], 'hamode': True, 'maintenancemode': None, 'proxyurl': None, 'nosigcheck': True, 'cachesize': None, 'cleancache': None}^@

2016-12-20T16:45:39Z esxupdate: 68908: Transaction: INFO: Final list of VIBs being installed: VMware_bootbank_vmware-fdm_6.5.0-4602587^@

2016-12-20T16:45:39Z esxupdate: 68908: imageprofile: INFO: Adding VIB VMware_bootbank_vmware-fdm_6.5.0-4602587 to ImageProfile ESXi-6.5.0-4564106-standard^@

2016-12-20T16:45:39Z esxupdate: 68908: Transaction: ERROR: Secure Boot enabled: Cannot skip signature checks. Installing unsigned VIBs will prevent the system from booting.^@

2016-12-20T16:45:39Z esxupdate: 68908: esxupdate: ERROR: An esxupdate error exception was caught:^@

2016-12-20T16:45:39Z esxupdate: 68908: esxupdate: ERROR: Traceback (most recent call last):^@

2016-12-20T16:45:39Z esxupdate: 68908: esxupdate: ERROR: File "/usr/sbin/esxupdate", line 239, in main^@

2016-12-20T16:45:39Z esxupdate: 68908: esxupdate: ERROR: cmd.Run()^@

2016-12-20T16:45:39Z esxupdate: 68908: esxupdate: ERROR: File "/build/mts/release/bora-4564106/bora/build/esx/release/vmvisor/sys-boot/lib64/python3.5/site-packages/vmware/esx5update/Cmdline.py", line 148, in Run^@

2016-12-20T16:45:39Z esxupdate: 68908: esxupdate: ERROR: File "/build/mts/release/bora-4564106/bora/build/esx/release/vmvisor/sys-boot/lib64/python3.5/site-packages/vmware/esximage/Transaction.py", line 262, in InstallVibsFromSources^@

2016-12-20T16:45:39Z esxupdate: 68908: esxupdate: ERROR: File "/build/mts/release/bora-4564106/bora/build/esx/release/vmvisor/sys-boot/lib64/python3.5/site-packages/vmware/esximage/Transaction.py", line 382, in _installVibs^@

2016-12-20T16:45:39Z esxupdate: 68908: esxupdate: ERROR: File "/build/mts/release/bora-4564106/bora/build/esx/release/vmvisor/sys-boot/lib64/python3.5/site-packages/vmware/esximage/Transaction.py", line 416, in _validateAndInstallProfile^@

2016-12-20T16:45:39Z esxupdate: 68908: esxupdate: ERROR: vmware.esximage.Errors.InstallationError: Secure Boot enabled: Cannot skip signature checks. Installing unsigned VIBs will prevent the system from booting.^@

2016-12-20T16:45:39Z esxupdate: 68908: esxupdate: DEBUG: <<<^@




Environment

VMware vSphere ESXi 6.5

Cause

This issue occurs when vpxd uses nosigcheck for installing FDM VIB.

Resolution

To resolve this issue, manually install the VIB (VMware_bootbank_vmware-fdm_6.5.0-4602587.vib) on the ESXi host. For more information, see “esxcli software vib” commands to patch an ESXi 5.x/6.x host (2008939)

The VIB is located at:

For vCenter Appliance : /etc/vmware-vpx/docRoot/vSphere-HA-depot/vib20/vmware-fdm
For Windows vCenter : C:\Program Data\VMware\vCenterServer\cfg\vmware-vpx\docRoot\vSphere-HA-depot\

After installing the vib, confirm if the signature is verified by executing the command:

esxcli software vib signature verify | grep vmware-fdm

The see output similar to:

vmware-fdm 6.5.0-4602587 VMware VMwareCertified Succeeded

Issue is resolved in 6.5U1 and later.

Additional Information