ESXi Host running a version that is not trusted by vSphere Trust Authority
search cancel

ESXi Host running a version that is not trusted by vSphere Trust Authority

book

Article ID: 316432

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • ESXi - /var/run/log/kmxa.log

info kmxa[66724] [Originator@6876 sub=Libs] Starting attestation handshake for group host-8008:########-####-####-####-##########
info kmxa[66724] [Originator@6876 sub=Libs] Connecting to attestd esxi.example.local:443
info kmxa[66724] [Originator@6876 sub=Libs] Tpm2Cmd: Successfully created attestation key at: 0x80000002
error kmxa[66724] [Originator@6876 sub=Libs] Error retrieving token from ATTEST: Error:
error kmxa[66724] [Originator@6876 sub=Libs] com.vmware.vapi.std.errors.error
error kmxa[66724] [Originator@6876 sub=Libs] Messages:
error kmxa[66724] [Originator@6876 sub=Libs] com.vmware.esx.attestation.report.attest_unknown_software
error kmxa[66724] [Originator@6876 sub=Libs]
error kmxa[66724] [Originator@6876 sub=Libs] Attestation handshake with esxi.example.local:443 failed to yield a token
info kmxa[66724] [Originator@6876 sub=Libs] Attestation failed for 
group host-8008:########-####-####-####-##########

  • ESXi -  /var/run/log/attestd.log on the Trust Authority Cluster hosts reports errors like the following:
info attestd[141532] [Originator@6876 sub=Libs] New attestation session: 12438589125867557969
info attestd[141573] [Originator@6876 sub=Libs] [ConfigStore:141528:193932797696:] GetInstances invoked for: component esx group attestation key esx_base_images, userdatacontext: 1
error attestd[141573] [Originator@6876 sub=Libs] Unknown VMkernel digest: baa1c0eb79f2639598fd34eacdd9dea47f61a4bef9897dcc8af95fb04d57d0ed
info attestd[141573] [Originator@6876 sub=Libs] End session 12438589125867557969: failed
  • For comparison, ESXi -  /var/run/log/attestd.log on Trust Authority Cluster hosts for a successful attestation reports the following:
info attestd[272721] [Originator@6876 sub=Libs] New attestation session: 14828104972993742882
info attestd[272720] [Originator@6876 sub=Libs] [ConfigStore:272716:26149893888:] GetInstances invoked for: component esx group attestation key esx_base_images, userdatacontext: 1
info attestd[272720] [Originator@6876 sub=Libs] Loaded base image data with version 7.0.0-0.0.14896552 and VMkernel digest baa1c0eb79f2639598fd34eacdd9dea47f61a4bef9897dcc8af95fb04d57d0ed
info attestd[272720] [Originator@6876 sub=Libs] Attestation complete for session ID 14828104972993742882 with ESX version 7.0.0-0.0.14896552
info attestd[272720] [Originator@6876 sub=Libs] End session 14828104972993742882: success
  • The following error type and message will appear in logs of the Trusted vCenter:  vCenter - /var/log/vmware/vapi/endpoint/vmware-vapi-endpoint.stderr
--> com.vmware.vapi.std.errors.error
--> Messages:
--> com.vmware.esx.attestation.report.attest_unknown_software<Attestation failed to identify the remote software version.>

Environment

VMware vSphere ESXi 7.0.0
VMware vSphere ESXi 8.0.0

Cause

When patching or updating the ESXi software on a Trusted Cluster host, the new software that it is running is not automatically trusted by the vSphere Trust Authority Cluster until manual intervention is performed to make the new host software version trusted.

Resolution

Prerequisites

  • You must be a Trust Authority administrator.

Procedure

  1.  Perform the following steps on the Trusted Cluster host where you patched or updated the ESXi software.
    1. In a PowerCLI session, connect to the ESXi host that is currently failing attestation using the root user.
Connect-VIServer -server esxi_host -User root -Password ‘password'.
  1. Assign the ESXi host to a variable.
$vmhost = Get-VMHost
  1. Export the host’s image. Ensure that the destination directory exists before running this command.
Export-VMHostImageDb -VMHost $vmhost -FilePath C:\vta\image.tgz
  1. Perform the following steps on the vSphere Trust Authority Cluster.
    1. Run the following commands to disconnect any current connection and connect to the vCenter Server of the Trust Authority Cluster using the Trust Authority administrator user.
Disconnect-VIServer -server * -Confirm:$false
Connect-VIServer -server TrustAuthorityCluster_VC_ip_address -User trust_admin_user -Password 'password'
  1. Assign the Trust Authority Cluster to a variable.
$TAcluster = Get-TrustAuthorityCluster "SB-Cluster"
  1. Import the image.tgz file previously exported from the ESXi host in step 1c.
New-TrustAuthorityVMHostBaseImage -TrustAuthorityCluster $TAcluster -FilePath C:\vta\image.tgz
Powered by Wolken Software