Failed to SSL handshake; SSL(<io_obj p:0x0000002e86fda5f0, h:30, <TCP '10.10.10.10 : 8111'>, <TCP '10.10.10.11 : 11911'>>), e: 167773208(tlsv1 alert unknown ca (SSL routines)), duration: 5msec
Er(163) Fdm[1151234]: --> The remote host certificate has these problems:
Er(163) Fdm[1151234]: -->
Er(163) Fdm[1151234]: --> * unable to get local issuer certificate)
vCenter Server 8.0.3
This is caused by a change to vSphere HA in version 8.0U3 which now validates the certificate during fdm operations.
To work around this issue, change the vpxd certificate mode to "vmca" or "custom" depending on your environment. See the links below for further instructions.
NOTE: Ensure to restart services to reflect the change:service-control --stop --all && service-control --start --all
Important: If the ESXi hosts use custom CA signed certificates, enabling vmca mode and renewing will overwrite the custom certificates. Please use caution before choosing the proper path.
Step 1: Refer to Managing Certificates for ESXi Hosts for details on choosing the correct mode for your environment.
Step 2: Refer to Change the ESXi Certificate Mode for steps to update the certificate mode.
Step 3: Refer to Renew or Refresh ESXi Certificates for steps to renew the certificates on the ESXi hosts.
Important Note:
Refresh CA
," and "Renew certificate
" for each host using vSphere Client or using PowerCLI after changing the Certificate Mode.Some environments may be using thumbprint mode to work around an existing certificate issue causing host connectivity problems. These issues will have to be properly diagnosed and corrected when using vmca and custom modes.
Note: Thumbprint mode is not recommended as a permanent solution for certificate related issues, and should only be used as a temporary fallback while troubleshooting.
Sample PowerCLI script to refresh ESXi host certificates.
#To use this script, pipe hostnames to it.
#first step is to import it:
#> . c:\path\to\script.ps1
#> get-cluster | get-vmhost | foreach {$_.Name} | refreshcerts
function refreshcerts
{
Begin{
}
Process{
Write-host "Processing $_"
$hostid = Get-VMHost $_ | Get-View
$hostParam = New-Object VMware.Vim.ManagedObjectReference[] (1)
$hostParam[0] = New-Object VMware.Vim.ManagedObjectReference
$hostParam[0].value = $hostid.moref.value
$hostParam[0].type = 'HostSystem'
$_this = Get-View -Id 'CertificateManager-certificateManager'
$task = $_this.CertMgrRefreshCACertificatesAndCRLs_Task($hostParam)
Wait-Task -Task $task
$task = $_this.CertMgrRefreshCertificates_Task($hostParam)
Wait-Task -Task $task
}
End{
Start-Sleep -Seconds 10
Write-host "Done"
}
}