Deployment of WCP and installation of spherelet on hosts failing with "Cannot change the host configuration."
search cancel

Deployment of WCP and installation of spherelet on hosts failing with "Cannot change the host configuration."

book

Article ID: 372155

calendar_today

Updated On:

Products

VMware vSphere with Tanzu

Issue/Introduction

  • Deployment of WCP has been initiated and is progressing
  • During the installation of spherelet on the VMware ESXi hosts the following general system error occurs:
    "A general system error occurred. Error message: Cannot change the host configuration."
  • The hostname of the VMware ESXi host is 53 characters or longer.
  • In /var/log/hostd.log on the VMware ESXi host, following log pattern can be seen:

    2024-07-11T11:15:56.944Z In(166) Hostd[2103218]: [Originator@6876 sub=Vimsvc.TaskManager opID=wcp-2962d4d9-de48-46e9-8354-4eb103ff637c-host-22-de-f0-dbba sid=5219b012 user=vpxuser:vsphere.local\vpxd-extension-a9112863-2a93-416a-a925-a143c2fec84c] Task Created : haTask--vim.host.SphereletManager.generateClientCSR-3934953100

    2024-07-11T11:15:57.020Z Er(163) Hostd[2103218]: [Originator@6876 sub=Hostsvc.SphereletManager opID=wcp-2962d4d9-de48-46e9-8354-4eb103ff637c-host-22-de-f0-dbba sid=5219b012 user=vpxuser:vsphere.local\vpxd-extension-a9112863-2a93-416a-a925-a143c2fec84c] Failed to generate CSR: N3Vim3Ssl18CertStoreExceptionE(Unable to parse subject name)

    2024-07-11T11:15:57.020Z In(166) Hostd[2103218]: [Originator@6876 sub=AdapterServer opID=wcp-2962d4d9-de48-46e9-8354-4eb103ff637c-host-22-de-f0-dbba sid=5219b012 user=vpxuser:vsphere.local\vpxd-extension-a9112863-2a93-416a-a925-a143c2fec84c] AdapterServer caught exception; <<5219b012-9b76-b5e0-37f6-0fa754ed6cf9, <TCP '127.0.0.1 : 8307'>, <TCP '127.0.0.1 : 34319'>>, ha-spherelet-mgr, vim.host.SphereletManager.generateClientCSR, <vim.version.v8_0_2_0, internal, 8.0.2.0>, (null)>, N3Vim5Fault15HostConfigFault9ExceptionE(Fault cause: vim.fault.HostConfigFault

Cause

As part of the preparation phase of joining a VMware ESXi host as a Kubernetes worker (using our kubelet-like implementation called spherelet), a kubelet client certificate will be generated using a CSR with subject "/C=US/ST=CA/L=PaloAlto/O=system:nodes/CN=system:node:<ESXi-hostname>". As per the Kubernetes documentation the "Common Name" (CN) should be in the format of "system:node:<ESXi-hostname>". This will also be used in vanilla Kubernetes installations.

If the hostname of the VMware ESXi host has 53 characters or longer, the total amount of characters will be 53 characters of the hostname + the 12 characters of "system:node:", resulting in a total length of 65 characters. Due to the limit of the X.509 certificate specification (RFC5280) the maximum length of "Common Name" (CN) is 64 characters. If this limit is exceeded, any issuing of certificates will fail and the join process can never complete.

Resolution

There is no resolution, as best-practices of Kubernetes and limitations of the X.509 certificate specification are followed.

A FQDN/hostname of 52 characters or less must be used. If affected, please rename the VMware ESXi hosts accordingly.

Powered by Wolken Software