Error when Configuring host for NSX-T: "Failed to install software on host. Invalid host thumbprint <SHA 256 thumbprint>”
Article ID: 319058
Updated On: 04-29-2025
Products
Issue/Introduction
Symptoms:
Error encountered when Configuring host for NSX-T: "Failed to install software on host. Invalid host thumbprint <SHA 256 thumbprint>”
Resolution
1. Verify that SHA certificate thumbprint on host matches what NSX is reporting in UI / logs:
root@host: openssl x509 -in /etc/vmware/ssl/rui.crt -fingerprint -sha256 -noout
2. Verify that host certificate is not expired:
root@host: openssl x509 -in /etc/vmware/ssl/rui.crt -text -noout
3. Check /var/log/syslog or /var/log/proton/nsxapi.log on NSX Manager node for error:
"SSL validation failed for host <IP> because specified thumbprint <SHA 256 thumbprint> does not match host thumbprint <SHA 256 thumbprint>"
Note: If the host thumbprint does not match the openssl output from the host itself (step 1), and it is unclear where NSX is getting that certificate thumbprint, confirm if the host IP in logs matches the IP of the host's VMkernel network adapter interface with the 'Management' service enabled in Port properties. If the 'Management' service is selected for the wrong interface on the host, NSX will verify the host certificate against the wrong IP.
If the Management service is mistakenly selected for another interface that is NOT the intended management interface, recreating that vmk interface without the Management service selected will force a re-ordering of the vmk's. This will in turn allow NSX to validate the host certificate against the correct IP address.
Feedback
