vSAN Host Not Contributing Stats with SSL error using Custom Certs.
search cancel

vSAN Host Not Contributing Stats with SSL error using Custom Certs.

book

Article ID: 335206

calendar_today

Updated On:

Products

VMware vSAN

Issue/Introduction

Symptoms:
  • You are using custom CA signed certificates.
  • You see a cluster Warning in Monitor > Virtual SAN > Performance service > All hosts contributing stats.
  • One or more ESXi hosts are listed into Hosts Not Contributing Stats in the lower panel.
  • One of the reasons where this happens is when there is an issue with the CA certificate which make the SSL connection between hosts fail. This failure will prevent collect vSAN stats metrics from these unconnected hosts.
    In order to verify this particular issue, you will need to enable debug logging for vsanmgmt on the StatsMaster node (or/and one of the Not Contributing nodes).
  • /var/log/vsanmgmt.log shows SSL error like below:

2017-03-24T11:04:37Z VSANMGMTSVC: DEBUG vsanperfsvc[Collector-0] [statscollector::SampleHostStats] collecting remote stats for host 10.126.16.203 from VSI
2017-03-24T11:04:37Z VSANMGMTSVC: DEBUG vsanperfsvc[Collector-2] [statscollector::RetrieveRemoteStats] Unexpected error during RetrieveRemoteStats:<class 'ssl.SSLEOFError'>
2017-03-24T11:04:37Z VSANMGMTSVC: DEBUG vsanperfsvc[Collector-2] [statscollector::RetrieveRemoteStats] Traceback (most recent call last):
File "/build/mts/release/bora-3825892/bora/build/esx/release/vsanhealth/usr/lib/vmware/vsan/perfsvc/statscollector.py", line 445, in RetrieveRemoteStats
File "/build/mts/release/bora-3825889/bora/build/esx/release/vmvisor/sys/lib/python2.7/site-packages/pyVmomi/VmomiSupport.py", line 543, in <lambda>
File "/build/mts/release/bora-3825889/bora/build/esx/release/vmvisor/sys/lib/python2.7/site-packages/pyVmomi/VmomiSupport.py", line 352, in _InvokeMethod
File "/build/mts/release/bora-3825889/bora/build/esx/release/vmvisor/sys/lib/python2.7/site-packages/pyVmomi/SoapAdapter.py", line 1238, in InvokeMethod
File "/build/mts/release/bora-3825889/bora/build/esx/release/vmvisor/sys/lib/python2.7/site-packages/pyVmomi/SoapAdapter.py", line 1304, in GetConnection
File
2017-03-24T11:04:37Z VSANMGMTSVC: "/build/mts/release/bora-3825889/bora/build/esx/release/vmvisor/sys/lib/python2.7/site-packages/pyVmomi/SoapAdapter.py", line 1005, in __call__
File "/build/mts/release/bora-3825889/bora/build/esx/release/vmvisor/sys-boot/lib/python2.7/ssl.py", line 891, in wrap_socket
File "/build/mts/release/bora-3825889/bora/build/esx/release/vmvisor/sys-boot/lib/python2.7/ssl.py", line 566, in __init__
File "/build/mts/release/bora-3825889/bora/build/esx/release/vmvisor/sys-boot/lib/python2.7/ssl.py", line 788, in do_handshake
SSLEOFError: EOF occurred in violation of protocol (_ssl.c:581)

/etc/vmware/ssl/castore.pem is zero byte in size.



Environment

VMware vSAN 7.0.x
VMware vSAN 8.0.x

Cause

The custom certificate is explicitly set with the 'Key Usage Server Authentication' only.  This limits the cert usage for client authentication only. The certificate either needs to be set for both Server and Client Authentication key usage or unset for both.

Resolution

To resolve this issue open a support ticket with VMware to assist with implementing the fix.


Additional Information