ESXi Host running a version that is not trusted by vSphere Trust Authority
Article ID: 316432
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
Symptoms:
- info kmxa[66724] [Originator@6876 sub=Libs] Starting attestation handshake for group host-8008:########-####-####-####-##########
info kmxa[66724] [Originator@6876 sub=Libs] Connecting to attestd sb-esxi-02.domain.local:443
info kmxa[66724] [Originator@6876 sub=Libs] Tpm2Cmd: Successfully created attestation key at: 0x80000002
error kmxa[66724] [Originator@6876 sub=Libs] Error retrieving token from ATTEST: Error:
error kmxa[66724] [Originator@6876 sub=Libs] com.vmware.vapi.std.errors.error
error kmxa[66724] [Originator@6876 sub=Libs] Messages:
error kmxa[66724] [Originator@6876 sub=Libs] com.vmware.esx.attestation.report.attest_unknown_software
error kmxa[66724] [Originator@6876 sub=Libs]
error kmxa[66724] [Originator@6876 sub=Libs] Attestation handshake with sb-esxi-02.domain.local:443 failed to yield a token
info kmxa[66724] [Originator@6876 sub=Libs] Attestation failed for
group host-8008:########-####-####-####-##########
info kmxa[66724] [Originator@6876 sub=Libs] Tpm2Cmd: Successfully created attestation key at: 0x80000002
error kmxa[66724] [Originator@6876 sub=Libs] Error retrieving token from ATTEST: Error:
error kmxa[66724] [Originator@6876 sub=Libs] com.vmware.vapi.std.errors.error
error kmxa[66724] [Originator@6876 sub=Libs] Messages:
error kmxa[66724] [Originator@6876 sub=Libs] com.vmware.esx.attestation.report.attest_unknown_software
error kmxa[66724] [Originator@6876 sub=Libs]
error kmxa[66724] [Originator@6876 sub=Libs] Attestation handshake with sb-esxi-02.domain.local:443 failed to yield a token
info kmxa[66724] [Originator@6876 sub=Libs] Attestation failed for
group host-8008:########-####-####-####-##########
- The attestd.log on the Trust Authority Cluster hosts reports errors like the following:
info attestd[141532] [Originator@6876 sub=Libs] New attestation session: 12438589125867557969
info attestd[141573] [Originator@6876 sub=Libs] [ConfigStore:141528:193932797696:] GetInstances invoked for: component esx group attestation key esx_base_images, userdatacontext: 1
error attestd[141573] [Originator@6876 sub=Libs] Unknown VMkernel digest: baa1c0eb79f2639598fd34eacdd9dea47f61a4bef9897dcc8af95fb04d57d0ed
info attestd[141573] [Originator@6876 sub=Libs] End session 12438589125867557969: failed
info attestd[141573] [Originator@6876 sub=Libs] [ConfigStore:141528:193932797696:] GetInstances invoked for: component esx group attestation key esx_base_images, userdatacontext: 1
error attestd[141573] [Originator@6876 sub=Libs] Unknown VMkernel digest: baa1c0eb79f2639598fd34eacdd9dea47f61a4bef9897dcc8af95fb04d57d0ed
info attestd[141573] [Originator@6876 sub=Libs] End session 12438589125867557969: failed
- For comparison, the attestd.log on Trust Authority Cluster hosts for a successful attestation reports the following:
info attestd[272721] [Originator@6876 sub=Libs] New attestation session: 14828104972993742882
info attestd[272720] [Originator@6876 sub=Libs] [ConfigStore:272716:26149893888:] GetInstances invoked for: component esx group attestation key esx_base_images, userdatacontext: 1
info attestd[272720] [Originator@6876 sub=Libs] Loaded base image data with version 7.0.0-0.0.14896552 and VMkernel digest baa1c0eb79f2639598fd34eacdd9dea47f61a4bef9897dcc8af95fb04d57d0ed
info attestd[272720] [Originator@6876 sub=Libs] Attestation complete for session ID 14828104972993742882 with ESX version 7.0.0-0.0.14896552
info attestd[272720] [Originator@6876 sub=Libs] End session 14828104972993742882: success
info attestd[272720] [Originator@6876 sub=Libs] [ConfigStore:272716:26149893888:] GetInstances invoked for: component esx group attestation key esx_base_images, userdatacontext: 1
info attestd[272720] [Originator@6876 sub=Libs] Loaded base image data with version 7.0.0-0.0.14896552 and VMkernel digest baa1c0eb79f2639598fd34eacdd9dea47f61a4bef9897dcc8af95fb04d57d0ed
info attestd[272720] [Originator@6876 sub=Libs] Attestation complete for session ID 14828104972993742882 with ESX version 7.0.0-0.0.14896552
info attestd[272720] [Originator@6876 sub=Libs] End session 14828104972993742882: success
- The following error type and message will appear in logs the Trusted vCenter:
--> com.vmware.vapi.std.errors.error
--> Messages:
--> com.vmware.esx.attestation.report.attest_unknown_software<Attestation failed to identify the remote software version.>
--> Messages:
--> com.vmware.esx.attestation.report.attest_unknown_software<Attestation failed to identify the remote software version.>
Environment
VMware vSphere ESXi 7.0.0
Cause
When you patch or update the ESXi software on a Trusted Cluster host, the new software that it is running is not automatically trusted by the vSphere Trust Authority Cluster, until you manually make the new host software version trusted.
Resolution
Prerequisites:
You must be a Trust Authority administrator.
Procedure:
- Perform the following steps on the Trusted Cluster host where you patched or updated the ESXi software.
- In a PowerCLI session, connect to the ESXi host that is currently failing attestation using the root user.
Connect-VIServer -server esxi_host -User root -Password ‘password'.
- Assign the ESXi host to a variable.
$vmhost = Get-VMHost
- Export the host’s image. Ensure that the destination directory exists before running this command.
Export-VMHostImageDb -VMHost $vmhost -FilePath C:\vta\image.tgz
- Perform the following steps on the vSphere Trust Authority Cluster.
- Run the following commands to disconnect any current connection and connect to the vCenter Server of the Trust Authority Cluster using the Trust Authority administrator user.
Disconnect-VIServer -server * -Confirm:$false
Connect-VIServer -server TrustAuthorityCluster_VC_ip_address -User trust_admin_user -Password 'password'
Connect-VIServer -server TrustAuthorityCluster_VC_ip_address -User trust_admin_user -Password 'password'
- Assign the Trust Authority Cluster to a variable.
$TAcluster = Get-TrustAuthorityCluster "SB-Cluster"
- Import the image.tgz file previously exported from the ESXi host in step 1c.
New-TrustAuthorityVMHostBaseImage -TrustAuthorityCluster $TAcluster -FilePath C:\vta\image.tgz
Feedback
Yes
No
Powered by
