Hosts with custom certs appear non-responsive when vmware-vsan-health is enabled on vCenter
Article ID: 327021
Updated On:
Products
VMware vCenter Server
VMware vSAN
Issue/Introduction
- You are using VMCA as an intermediate/subordinate certification.
- You have verified all certificates across the environment are correct and consistent.
- When starting the vmware-vsan-health service on the vCenter, we see the following error messages in the vpxa.log on the hosts:
[YYYY-MM-DDTHH:MM:SS] info vpxa[16742038] [Originator@6876 sub=Default opID=vsan-PC-59d27b8701b25-sq111:j1-W910-sq123:j2-c6-98] [VpxLRO] -- ERROR lro-52 -- vsanSystem -- vim.host.VsanSystem.fetchVsanSharedSecret: vim.fault.NotAuthenticated:--> Result:--> (vim.fault.NotAuthenticated) {--> faultCause = (vmodl.MethodFault) null,--> faultMessage = <unset>,--> object = 'vim.host.VsanSystem:vsanSystem',--> privilegeId = "none"--> msg = "Received SOAP response fault from [<cs p:000000a694a672d0, TCP:localhost:8307>]: fetchVsanSharedSecret--> The session is not authenticated."--> }--> Args:--> - This eventually leads to the host disconnecting from vCenter with the following messages in the vpxa.log:
[YYYY-MM-DDTHH:MM:SS] error vpxa[16721871] [Originator@6876 sub=HTTP session map] Out of HTTP sessions: Limited to 500[YYYY-MM-DDTHH:MM:SS] error vpxa[16721873] [Originator@6876 sub=HTTP session map] Out of HTTP sessions: Limited to 500[YYYY-MM-DDTHH:MM:SS] error vpxa[16721898] [Originator@6876 sub=HTTP session map] Out of HTTP sessions: Limited to 500[YYYY-MM-DDTHH:MM:SS] error vpxa[16721875] [Originator@6876 sub=HTTP session map] Out of HTTP sessions: Limited to 500[YYYY-MM-DDTHH:MM:SS] error vpxa[16721874] [Originator@6876 sub=HTTP session map] Out of HTTP sessions: Limited to 500[YYYY-MM-DDTHH:MM:SS] error vpxa[16721871] [Originator@6876 sub=HTTP session map] Out of HTTP sessions: Limited to 500[YYYY-MM-DDTHH:MM:SS] error vpxa[16721899] [Originator@6876 sub=HTTP session map] Out of HTTP sessions: Limited to 500[YYYY-MM-DDTHH:MM:SS] error vpxa[16721870] [Originator@6876 sub=HTTP session map] Out of HTTP sessions: Limited to 500
Environment
VMware vCenter Server 6.5.x
VMware vSAN 6.7.x
VMware vCenter Server 6.7.x
VMware vSAN 6.5.x
VMware vSAN 6.7.x
VMware vCenter Server 6.7.x
VMware vSAN 6.5.x
Cause
This is due to VsanMgmtAdapters.py [located in
/usr/lib/vmware-vpx/vsan-health/pyMoVsan/] calculating the thumbprint of the hosts incorrectly.Resolution
Upgrade vCenter to 6.7U3b build 15132721 or higher and ESXi to 6.7U3 P01 build 15160138 or higher.
Workaround:
We need to make changes to VsanMgmtAdapters.py to adjust the way it calculates the host certificate thumbprint.
Download the attached script "fix_vsanMgmtAdapters.sh" to /tmp directory in vCenter
Give it executable permissions.
Run the script
After this is done, restart the management agents on the host with the following commands.
Workaround:
We need to make changes to VsanMgmtAdapters.py to adjust the way it calculates the host certificate thumbprint.
Download the attached script "fix_vsanMgmtAdapters.sh" to /tmp directory in vCenter
Give it executable permissions.
# chmod +x /tmp/fix_vsanMgmtAdapters.shRun the script
# /tmp/fix_vsanMgmtAdapters.shAfter this is done, restart the management agents on the host with the following commands.
# /etc/init.d/hostd restart# /etc/init.d/vpxa restartAdditional Information
Impact/Risks:
Hosts go non-responsive in vCenter losing management capabilities. This affects both vSAN and non-vSAN clusters managed by the same vCenter.
Hosts go non-responsive in vCenter losing management capabilities. This affects both vSAN and non-vSAN clusters managed by the same vCenter.
Attachments
Feedback
Yes
No
Powered by
