HA clusters fails to configure in vCenter Server 8.0 U3 when the VPXD certificate mode is set to "thumbprint".
search cancel

HA clusters fails to configure in vCenter Server 8.0 U3 when the VPXD certificate mode is set to "thumbprint".

book

Article ID: 372329

calendar_today

Updated On:

Products

VMware vCenter Server 8.0

Issue/Introduction

  • After upgrading to vCenter Server 8.0.3, HA enabled clusters fail to configure, and only the primary HA host remains active. 
  • HA enabled clusters start to show the following warning:
    Insufficient configured resources to satisfy the desired vSphere HA failover level on the cluster
  • Messages in fdm.log mention "tlsv1 alert unknown ca" when contacting other hosts


    Failed to SSL handshake; SSL(<io_obj p:0x0000002e86fda5f0, h:30, <TCP '**.**.**.** : 8111'>, <TCP '**.**.**.** : 11911'>>), e: 167773208(tlsv1 alert unknown ca (SSL routines)), duration: 5msec
    YYYY:MM:DDTHH:MM:SS Er(163) Fdm[11588024]: --> [context]zKq7AVECAQAAAPONbgEKZmRtAID8eoEBZmRtAIDJF2cBgBugagGApKJqAYBapGoBgJ4GbAGAgDdsAYBL1IwBAYJ6AGxpYnB0aHJlYWQuc28uMAAC7y4PbGliYy5zby42AA==[/context] creating ssl stream or doing handshake
    
  • fdm.log also contains messages similar to the following when attempting to contact the master FDM host

    Er(163) Fdm[1151234]: --> The remote host certificate has these problems:
    Er(163) Fdm[1151234]: -->
    Er(163) Fdm[1151234]: --> * unable to get local issuer certificate)
  • vCenter Server's certificate mode is set to thumbprint mode.

Environment

vCenter Server 8.0.3

Cause

This is caused by a change to vSphere HA in version 8.0U3 which now validates the certificate during fdm operations.

Self Signed Certificates on ESXi host are no longer supported by vCenter.

In an environment where ESXi host have self signed certificates and the advanced settings in vCenter "vpxd.certmgmt.mode" is set to "thumbprint" ESXi host with self signed certificates can be added to the vCenter however vSphere HA will not successfully enable due to the unsupported certificate.

Resolution

To work around this issue, change the vpxd certificate mode to "vmca" or "custom" depending on your environment. See the links below for further instructions.

NOTE: Ensure to restart services to reflect the change:
service-control --stop --all && service-control --start --all

Important: If the ESXi hosts use custom CA signed certificates, enabling vmca mode and renewing will overwrite the custom certificates. Please use caution before choosing the proper path.

 

Step 1: Refer to Managing Certificates for ESXi Hosts for details on choosing the correct mode for your environment. 

Step 2: Refer to Change the ESXi Certificate Mode for steps to update the certificate mode.

Step 3: Refer to Renew or Refresh ESXi Certificates for steps to renew the certificates on the ESXi hosts.

Recommendation for ease of management is to have vCenter manage the ESXi hosts certificates.

  1. Ensure the advanced setting on vCenter object is configured to vmca mode:
     
  2. Right click ESXi host, select Certificates, select Renew Certificate
  3. Once complete right click host and select Refresh CA Certificates

Important Note:

  • There are chances of communication issues between vCenter Server and ESXi hosts after changing certificate mode on vCenter Server. To avoid the host communication issues, please perform "Refresh CA," and "Renew certificate" for each host using vSphere Client or using PowerCLI after changing the Certificate Mode.
  • Sample script with PowerCLI method available in Additional Information section of this KB.
  • Please refer Renew or Refresh ESXi Certificates for more details on Refresh and Renew certificate operations.

Additional Information

Some environments may be using thumbprint mode to work around an existing certificate issue causing host connectivity problems. These issues will have to be properly diagnosed and corrected when using vmca and custom modes.

Note: Thumbprint mode is not recommended as a permanent solution for certificate related issues, and should only be used as a temporary fallback while troubleshooting.

Sample PowerCLI script to refresh ESXi host certificates.

  • Save below lines as a Powershell script (eg. c:\temp\renew_esxi_certs.ps1)

    function refreshcerts
    {
     Begin{

     
     }
     Process{
     Write-host "Processing $_"
     $hostid = Get-VMHost $_ | Get-View
     $hostParam = New-Object VMware.Vim.ManagedObjectReference[] (1)
     $hostParam[0] = New-Object VMware.Vim.ManagedObjectReference
     $hostParam[0].value = $hostid.moref.value
     $hostParam[0].type = 'HostSystem'
     $_this = Get-View -Id 'CertificateManager-certificateManager'
    $task = $_this.CertMgrRefreshCACertificatesAndCRLs($hostParam)
    $task = $_this.CertMgrRefreshCertificates($hostParam)
     }
     End{
     Start-Sleep -Seconds 10

     Write-host "Done"

     }
    }

  • Import the refreshcerts function to PowerShell using dot (.) operator

    . c:\temp\renew_esxi_certs.ps1

  • Login to the vCenter Server using Connect-VIServer
  • Execute the refreshcerts function using below method (which will renew the certs on all the Clusters):

get-cluster | get-vmhost | foreach {$_.Name} | refreshcerts

Note: You may specify the cluster name to replace the certs cluster wise (eg. get-cluster -Name "ClusterName")