vSAN -- KMS - Encryption -- Certificate Status -- Healthcheck shows Error
Article ID: 326426
Updated On:
Products
VMware vSAN
Issue/Introduction
Symptoms:
In a vSAN KMS encrypted cluster, the "certificate status" for the KMS cluster shows up with an error in the health check, but the trust and all checks on the individual KMS servers are all green.
When you try to generate new encryption keys, you get the following error message in the vCenter vSphere Client:
"General vSAN error: There was an issue generating new KMS keys for the cluster."
These do not resolve the issue:
- Restarting of vmware-sps and vmware-vsan-health on vCenter
- vCenter Reboot
In a vSAN KMS encrypted cluster, the "certificate status" for the KMS cluster shows up with an error in the health check, but the trust and all checks on the individual KMS servers are all green.
When you try to generate new encryption keys, you get the following error message in the vCenter vSphere Client:
"General vSAN error: There was an issue generating new KMS keys for the cluster."
These do not resolve the issue:
- Restarting of vmware-sps and vmware-vsan-health on vCenter
- vCenter Reboot
Environment
VMware vSAN 7.0.x
VMware vSAN 8.0.x
VMware vSAN 6.x
VMware vSAN 8.0.x
VMware vSAN 6.x
Cause
Possible causes:
- Expired CA certificate
- Certificate state needs to be refreshed
- A change in the KMS server credentials that have been entered into vCenter
Resolution
To resolve all 3 possible causes, perform the following steps.
- Re-enter the KMS server credentials via Cluster > Configure > Key Management Services click "Action", then "Edit".
- Check the certificate expiration date in the same menu in step 1 to make sure that they are still valid.
- Right click on each host individually and select Certificates > Renew CA Certificate.
Note: Make sure that the Cert Mode is VMCA before renewing the certs, the following document can assist: Change the Certificate Mode
- Refresh the health check to see if the error has cleared up.
Feedback
Yes
No
Powered by
