EAM is unable to deploy vCLS VMs when vpxd-extension certificate has incorrect extended key usage values
Article ID: 344892
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
- DRS stops functioning due to vCLS VMs failing to deploy through EAM.
- Errors in /var/log/vmware/vpxd/vpxd.log indicate that solutions like VSM and EAM are unable to login to vpxd:
2021-09-14T04:02:42.105Z info vpxd[52164] [Originator@6876 sub=Default opID=46d8921e] [VpxLRO] -- ERROR lro-2481 -- SessionManager -- vim.SessionManager.loginExtensionByCertificate: vim.fault.NoClientCertificate:
--> Result:
--> (vim.fault.NoClientCertificate) {
--> faultCause = (vmodl.MethodFault) null,
--> faultMessage = <unset>
--> msg = ""
--> }
--> Args:
-->
--> Arg extensionKey:
--> "com.vmware.vim.eam"
--> Arg locale:
-->
--> Result:
--> (vim.fault.NoClientCertificate) {
--> faultCause = (vmodl.MethodFault) null,
--> faultMessage = <unset>
--> msg = ""
--> }
--> Args:
-->
--> Arg extensionKey:
--> "com.vmware.vim.eam"
--> Arg locale:
-->
- The vpxd-extension solution user certificate has Server Authentication in Extended Key Usage but does not contain any Client Authentication value, such as TLS WWW client authentication or anyExtendedKeyUsage
Environment
VMware vCenter Server 7.0.x
Cause
This occurs when the vpxd-extension certificate has the Extended Key Usage value for Server Authentication without Client Authentication.
Resolution
To resolve this, regenerate the vpxd-extension certificate without Extended Key Usage or use "TLS WWW client authentication" in the values. It's also possible to use anyExtendedKeyUsage.
See Certificate Requirements for Different Solution Paths for more information on certificate requirements.
See Certificate Requirements for Different Solution Paths for more information on certificate requirements.
Feedback
Yes
No
Powered by
