Failed to SSL handshake; SSL(<io_obj p:0x0000002e86fda5f0, h:30, <TCP '**.**.**.** : 8111'>, <TCP '**.**.**.** : 11911'>>), e: 167773208(tlsv1 alert unknown ca (SSL routines)), duration: 5msec
YYYY:MM:DDTHH:MM:SS Er(163) Fdm[11588024]: --> [context]zKq7AVECAQAAAPONbgEKZmRtAID8eoEBZmRtAIDJF2cBgBugagGApKJqAYBapGoBgJ4GbAGAgDdsAYBL1IwBAYJ6AGxpYnB0aHJlYWQuc28uMAAC7y4PbGliYy5zby42AA==[/context] creating ssl stream or doing handshake
Er(163) Fdm[1151234]: --> The remote host certificate has these problems:
Er(163) Fdm[1151234]: -->
Er(163) Fdm[1151234]: --> * unable to get local issuer certificate)
vCenter Server 8.0.3
This is caused by a change to vSphere HA in version 8.0U3 which now validates the certificate during fdm operations.
Self Signed Certificates on ESXi host are no longer supported by vCenter.
In an environment where ESXi host have self signed certificates and the advanced settings in vCenter "vpxd.certmgmt.mode" is set to "thumbprint" ESXi host with self signed certificates can be added to the vCenter however vSphere HA will not successfully enable due to the unsupported certificate.
To work around this issue, change the vpxd certificate mode to "vmca" or "custom" depending on your environment. See the links below for further instructions.
NOTE: Ensure to restart services to reflect the change:service-control --stop --all && service-control --start --all
Important: If the ESXi hosts use custom CA signed certificates, enabling vmca mode and renewing will overwrite the custom certificates. Please use caution before choosing the proper path.
Step 1: Refer to Managing Certificates for ESXi Hosts for details on choosing the correct mode for your environment.
Step 2: Refer to Change the ESXi Certificate Mode for steps to update the certificate mode.
Step 3: Refer to Renew or Refresh ESXi Certificates for steps to renew the certificates on the ESXi hosts.
Recommendation for ease of management is to have vCenter manage the ESXi hosts certificates.
Important Note:
Refresh CA
," and "Renew certificate
" for each host using vSphere Client or using PowerCLI after changing the Certificate Mode.Some environments may be using thumbprint mode to work around an existing certificate issue causing host connectivity problems. These issues will have to be properly diagnosed and corrected when using vmca and custom modes.
Note: Thumbprint mode is not recommended as a permanent solution for certificate related issues, and should only be used as a temporary fallback while troubleshooting.
Sample PowerCLI script to refresh ESXi host certificates.
c:\temp\renew_esxi_certs.ps1
)function refreshcerts
{
Begin{
}
Process{
Write-host "Processing $_"
$hostid = Get-VMHost $_ | Get-View
$hostParam = New-Object VMware.Vim.ManagedObjectReference[] (1)
$hostParam[0] = New-Object VMware.Vim.ManagedObjectReference
$hostParam[0].value = $hostid.moref.value
$hostParam[0].type = 'HostSystem'
$_this = Get-View -Id 'CertificateManager-certificateManager'
$task = $_this.CertMgrRefreshCACertificatesAndCRLs($hostParam)
$task = $_this.CertMgrRefreshCertificates($hostParam)
}
End{
Start-Sleep -Seconds 10
Write-host "Done"
}
}
. c:\temp\renew_esxi_certs.ps1
get-cluster | get-vmhost | foreach {$_.Name} | refreshcerts
Note: You may specify the cluster name to replace the certs cluster wise (eg. get-cluster -Name "ClusterName"
)