EAM is unable to deploy vCLS VMs when vpxd-extension certificate has incorrect extended key usage values
search cancel

EAM is unable to deploy vCLS VMs when vpxd-extension certificate has incorrect extended key usage values

book

Article ID: 344892

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
  • DRS stops functioning due to vCLS VMs failing to deploy through EAM.
  • Errors in /var/log/vmware/vpxd/vpxd.log indicate that solutions like VSM and EAM are unable to login to vpxd:
2021-09-14T04:02:42.105Z info vpxd[52164] [Originator@6876 sub=Default opID=46d8921e] [VpxLRO] -- ERROR lro-2481 -- SessionManager -- vim.SessionManager.loginExtensionByCertificate: vim.fault.NoClientCertificate:
--> Result:
--> (vim.fault.NoClientCertificate) {
--> faultCause = (vmodl.MethodFault) null,
--> faultMessage = <unset>
--> msg = ""
--> }
--> Args:
-->
--> Arg extensionKey:
--> "com.vmware.vim.eam"
--> Arg locale:
-->
  • The vpxd-extension solution user certificate has Server Authentication in Extended Key Usage but does not contain any Client Authentication value, such as TLS WWW client authentication or anyExtendedKeyUsage


Environment

vCenter Server 8.x
vCenter Server 7.x

Cause

This occurs when the vpxd-extension certificate has the Extended Key Usage value for Server Authentication without Client Authentication.

Resolution

To resolve this, regenerate the vpxd-extension certificate without Extended Key Usage or use "TLS WWW client authentication" in the values. It's also possible to use anyExtendedKeyUsage.

See Certificate Requirements for Different Solution Paths for more information on certificate requirements.