vCenter upgrade to 6.7 fails with vpxd firstboot with error: "Failed to create data encipherment cert with hostname/ip"
search cancel

vCenter upgrade to 6.7 fails with vpxd firstboot with error: "Failed to create data encipherment cert with hostname/ip"

book

Article ID: 336057

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
  • vCenter upgrade to 6.7 failing with vpxd firstboot with error, "Failed to create data encipherment cert with hostname/ip"
vpxd_firstboot.log:
2020-02-18T05:11:24.709Z  Invoked command: ['/usr/lib/vmware-vmca/bin/certool', '--server=vcenter_fqdn', '--genCIScert', '--dataencipherment', '--privkey=/etc/vmware-vpx/ssl/tmp-data-encipherment.key', '--cert=/etc/vmware-vpx/ssl/tmp-data-encipherment.crt', '--Name=data-encipherment', '--FQDN=vcenter_fqdn']
2020-02-18T05:11:24.709Z  RC = 5
Stdout = Error: 5, VMCAGetSignedCertificatePrivate() failedStatus : Failed
Error Code : 5
Error Message : Operation failed with error = ERROR_ACCESS_DENIED (5)

Stderr =
2020-02-18T05:11:24.709Z  VirtualCenter firstboot failed


vmcad-syslog.log:
2020-02-18T05:06:55.712962+00:00 info vmcad  Starting VMware Certificate Servicedone
2020-02-18T05:07:04.185407+00:00 info vmcad  t@140407505676032: VMCACheckAccessKrb: Authenticated user [email protected]
2020-02-18T05:11:24.688726+00:00 info vmcad  t@140407505676032: VMCACheckAccessKrb: Authenticated user [email protected]
2020-02-18T05:11:24.697375+00:00 info vmcad  t@140407505676032: Checking upn: cn=CAAdmins,cn=Builtin,dc=vsphere,dc=local against CA admin group: [email protected]
2020-02-18T05:11:24.697881+00:00 info vmcad  t@140407505676032: Checking user's group: cn=DCAdmins,cn=Builtin,dc=vsphere,dc=local against CA admin group: cn=CAAdmins,cn=Builtin,dc=vsphere,dc=local
2020-02-18T05:11:24.698176+00:00 warning vmcad  t@140407505676032: error code: 0x00000005
2020-02-18T05:11:24.698507+00:00 warning vmcad  t@140407505676032: error code: 0x00000005


Environment

VMware vCenter Server 6.7.x

Cause

The issue occurs due to the following user groups were missing in CAAdmins.
  • DCAdmins
  • DCClients

Resolution

To resolve the issue add DCAdmins and DCClients user groups to CAAdmins.

They can be added using flex/html5 client from Administration > SSO > Users and Groups.

Powered by Wolken Software