"Signed certificate could not be retrieved due to a start time error" when adding ESXi host to vCenter Server
book
Article ID: 322260
calendar_today
Updated On:
Products
VMware vCenter ServerVMware vSphere ESXi
Issue/Introduction
After replacing the VMware Certificate Authority root certificate with an enterprise subordinate certificate, the following symptoms may appear:
The certificate has been valid for less than 24 hours.
The vSphere ESXi host is unable to connect to the vCenter Server or all hosts are disconnected.
The following error may appear:
A general system error occurred: Unable to get signed certificate for host: esxi_hostname. Error: Start Time Error (70034)
Environment
VMware vCenter Server Appliance 7.0.x VMware vSphere ESXi 7.0.x
Cause
When adding a host to VMware vCenter Server, the VMware Certificate Authority pre-dates VMware vSphere ESXi certificates by 24 hours to avoid time synchronization issues.
For example :
Current time on vCenter is 10-Jan-2020 10:00
VMCA Root Cert is Valid from10-Jan-2020 07:00
While trying to add the ESXi host to the vCenter Server, CSR will be generated with Start Date as "Current Date - 1 day" which means 09-Jan-2020 10:00:00
Here, VMCA is valid from 10-Jan-2020 07:00 and it got a request to Sign Certificate for a previous date 09-Jan-2020 10:00 which is not valid and operation fails
In this situation, the advanced setting "vpxd.certmgmt.certs.minutesBefore" allows changing the start date of the ESXi certificate instead of the default 24 hours
This behavior with the advanced setting vpxd.certmgmt.certs.minutesBefore is changed in VMware vCenter 6.0 Update 2 and later available at Broadcom Downloads.
Resolution
Change the vpxd.certmgmt.certs.minutesBefore to 10 by following these steps:
Connect to the vCenter Server using the vSphere Client and administrator credentials.
Select Administration > vCenter Server Settings to display the vCenter Server Settings dialog box.
In the settings list, select Advanced Settings.
In the Key field, type a key.
In the Key field, enter this key: vpxd.certmgmt.certs.minutesBefore
In the Value field, enter: 10
Click Add.
Click OK.
To work around this issue without changing the advanced setting:
Wait 24 hours after replacing the VMware Certificate Authority certificate with an enterprise subordinate certificate before attempting to add additional hosts to vCenter Server.