Error: "Authenticity of the host's SSL certificate is not verified" when migrating from on-prem to cloud vCenter
search cancel

Error: "Authenticity of the host's SSL certificate is not verified" when migrating from on-prem to cloud vCenter

book

Article ID: 323630

calendar_today

Updated On:

Products

VMware Cloud on AWS

Issue/Introduction

  • Cold-migration from On-premises vCenter to Cloud vCenter fails at the compute resource validation screen with the error: Authenticity of the hosts's SSL certificate is not verified
  • Cold-migration works within the respective vCenters.
    • Example: migrations of the same VM on different ESXi hosts within the On-premises vCenter is successful.
  • Cold-migration works for VMs from Cloud vCenter to On-premises vCenter.
  • This issue is not VM specific and is consistent across the whole environment.
  • Self-Signed vCenter certificates on the On-premises side and the Cloud vCenter certificate also shows as valid.
  • On-premises vCenter's vpxd logs show the below exception: 

--> [backtrace end]

vpxd[] [Originator@6876 sub=vpxLro opID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx-xxxxx] [VpxLRO] – FINISH session[xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx-xxxxx]

vpxd[] [Originator@6876 sub=Default opID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx-xxxxx] [VpxLRO] – ERROR session[xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx-xxxxx – ProvChecker – vim.vm.check.ProvisioningChecker.checkRelocate: vim.fault.SSLVerifyFault:
--> Result:
--> (vim.fault.SSLVerifyFault)
{ --> faultCause = (vmodl.MethodFault) null, --> faultMessage = <unset>, --> selfSigned = false, --> thumbprint = "<SSL THUMBPRINT>" --> msg = "" --> } 
--> Args:
-->
--> Arg vm:
--> 'vim.VirtualMachine: <VM_UUID>'
--> Arg spec:
--> (vim.vm.RelocateSpec) {
--> service = (vim.ServiceLocator) {
--> instanceUuid = ",<UUID>",
--> url = "https://vCenterFQDN:443/sdk",
--> credential = (vim.ServiceLocator.SAMLCredential)
{ --> token = (not shown) --> } 
,
--> sslThumbprint = "<SSL THUMBPRINT>"
--> },
--> folder = <unset>,
--> datastore = <unset>,
--> diskMoveType = <unset>,
--> pool = 'vim.ResourcePool:',
--> host = <unset>,
--> disk = <unset>,
--> transform = <unset>,
--> deviceChange = <unset>,
--> profile = <unset>
--> }
--> Arg testType:
--> (string) [
--> "sourceTests",
--> "resourcePoolTests",
--> "hostTests"
--> ]

Cause

This issue can be experienced because of DNS issues.

Resolution

Ensure the On-premises vCenter's DNS which is being leveraged by the On-premises vCenter and the Cloud vCenter is able to resolve the public FQDN of the Cloud vCenter.
 
Note:
Primary requirement for DNS under MGW is to resolve On-prem FQDNs, so that features such as HLM can be configured successfully. For the other way round, primarily the cloud side vCenter URL has to be resolved by the On-prem components. This record is set in DynDNS service, so if the On-prem DNS server is capable of resolving public names it should automatically be able to resolve vCenter URL to private IP (if the vCenter name resolution is set to private in VMware Cloud on AWS portal under DNS).
If required, a forward lookup zone and reverse lookup zone can also be created for vmc.vmware.com on the On-prem DNS server so that the On-prem management components are able to resolve the Cloud vCenter on both IPs (Private and Public).