vSAN cluster/debug commands fail with [SSL: CERTIFICATE_VERIFY_FAILED]
Article ID: 325178
Updated On:
Products
VMware vSAN
Issue/Introduction
Symptoms:
- ESXi hosts are utilizing custom CA signed certificates
- When running vSAN cluster/debug commands with either esxcli or localcli you get an error like one seen below:
[root@esxi:~] localcli vsan health cluster list
ERROR:root:Failed to test vsan vmodl version with error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1131) on localhost
WARNING:root:Retry retrieving vsan vmodl version, 0
Environment
VMware vSAN 7.0.x
VMware vSAN 8.0.x
VMware vSAN 8.0.x
Cause
CA certificate chain used to sign the certificates in use by ESXi are not present in /etc/vmware/ssl/castore.pem.
Resolution
Implement 'Refresh CA Certificates' by following the relevant step in Renew or Refresh ESXi Certificates.
If this does not resolve the issue, follow the steps to publish the custom CA certificate chain to vCenter TRUSTED_ROOTS and retry the above.
If publishing the certificate chain does not work, append the custom CA certificate chain text (in pem format) to /etc/vmware/ssl/castore.pem on the ESXi host(s), and restart hostd (/etc/init.d/hostd restart) and vpxa (/etc/init.d/vpxa restart). See ESXi Host Disconnected from vCenter and hostd Fails to Start After SSL Certificate Replacement for full details and steps.
Additional Information
Impact/Risks:
Commands fail to retrieve information from other hosts in the cluster
Feedback
Yes
No
Powered by
