vSphere HA warning on cluster following upgrade of vCenter to 8.0.3 Insufficient configured resources
search cancel

vSphere HA warning on cluster following upgrade of vCenter to 8.0.3 Insufficient configured resources

book

Article ID: 374441

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • Following the upgrade of vCenter from any version to 8.0.3, HA-enabled clusters begin to show the following warning:
    "Insufficiently configured resources to satisfy the desired vSphere HA failover level on the cluster"

    "All the ESXi host within the cluster HA status showing as 'election' "





In ESXi Host FDM logs: (/var/run/log/fdm.log)

  • YYYY-MM-DDTHH:MM:SS.SSSZ warning fdm[9749654] [Originator@6876 sub=IO.Connection opID=WorkQueue-6c8eb045] Failed to SSL handshake; SSL(<io_obj p:0x000000dd4c945180, h:9, <TCP '###.###.###.### : 38750'>, <TCP '###.###.###.### : 8182'>>), e: 336134278(certificate verify failed (SSL routines, ssl3_get_server_certificate)), duration: 2msec
  • YYYY-MM-DDTHH:MM:SS.SSSZ error fdm[9749521] [Originator@6876 sub=Message opID=WorkQueue-6c8eb045] Error N7Vmacore3Ssl18SSLVerifyExceptionE(SSL Exception: Verification parameters:

    --> PeerThumbprint: hh:hh:hh:hh:hh:hh:hh:hh:hh:hh:hh:hh:hh:hh:hh:hh:hh:hh:hh:hh

    --> ExpectedThumbprint:

    --> ExpectedPeerName: example.com

    --> The remote host certificate has these problems:

    --> * Host name does not match the subject name(s) in certificate.)
    --> [context]zKq7AVECAQAAAPONbgEKZmRtAIAsc4EBZmRtAIB7TWoBgMiVagGA9JhqAYCqmmoBgL7/awGAoDBsAYBryIwBATt9AGxpYnB0aHJlYWQuc28uMAACbdEObGliYy5zby42AA==[/context] on handshake
  • YYYY-MM-DDTHH:MM:SS.SSSZ warning fdm[9742468] [Originator@6876 sub=IO.Connection opID=WorkQueue-3bf3f956] Failed to SSL handshake; SSL(<io_obj p:0x0000007a57967830, h:31, <TCP '###.###.###.### : 8182'>, <TCP '###.###.###.### : 58141'>>), e: 336151608(tlsv1 alert internal error (SSL routines, ssl3_read_bytes)), duration: 3msec
  • YYYY-MM-DDTHH:MM:SS.SSSZ error fdm[9742480] [Originator@6876 sub=Message opID=WorkQueue-3bf3f956] Error N7Vmacore3Ssl12SSLExceptionE(SSL Exception: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error)--> [context]zKq7AVECAQAAAPONbgEKZmRtAIAsc4EBZmRtAICJEWcBgGuWagGA9JhqAYCqmmoBgL7/awGAoDBsAYBryIwBATt9AGxpYnB0aHJlYWQuc28uMAACbdEObGliYy5zby42AA==[/context] creating ssl stream or doing handshake
  • YYYY-MM-DDTHH:MM:SS.SSSZ warning fdm[9742479] [Originator@6876 sub=IO.Connection opID=WorkQueue-e769bda] Failed to SSL handshake; SSL(<io_obj p:0x0000007a57945c10, h:28, <TCP '###.###.###.### : 8182'>, <TCP '###.###.###.### : 58142'>>), e: 336151608(tlsv1 alert internal error (SSL routines, ssl3_read_bytes)), duration: 2msec

  • YYYY-MM-DDTHH:MM:SS.SSSZ Wa(164) Fdm[2133766]: [Originator@6876 sub=Election opID=WorkQueue-203a52a4] Failed to connect to master host-xxxx

    YYYY-MM-DDTHH:MM:SS.SSSZ Db(167) Fdm[2133766]: [Originator@6876 sub=Election opID=WorkQueue-203a52a4] Added invalid master host-6043

    YYYY-MM-DDTHH:MM:SS.SSSZ Wa(164) Fdm[2133766]: [Originator@6876 sub=Election opID=WorkQueue-203a52a4] Host host-xxxx has been declared invalid 2672 times

    YYYY-MM-DDTHH:MM:SS.SSSZ In(166) Fdm[2133766]: [Originator@6876 sub=Message opID=WorkQueue-203a52a4] Destroying connection

    YYYY-MM-DDTHH:MM:SS.SSSZ Wa(164) Fdm[2133891]: [Originator@6876 sub=IO.Connection opID=WorkQueue-5c505dbd] Failed to SSL handshake; SSL(<io_obj p:0x0000000e30493f70, h:8, <TCP 'x.x.x.x : 54148'>, <TCP 'x.x.x.x: 8182'>>), e

    : 167772294(certificate verify failed (SSL routines)), duration: 11msec

Environment

VMware vCenter Server 8.0.3

Cause

  • Self-signed certificates on ESXi hosts are no longer supported by vCenter.

  • In environments where ESXi hosts have self-signed certificates and the advanced setting in vCenter, 'vpxd.certmgmt.mode,' is set to 'thumbprint,' ESXi hosts with self-signed certificates can be added to vCenter. However, vSphere HA will not successfully enable due to the unsupported certificate.

Resolution

Please verify the certificate configuration on ESXI hosts in the environment (VMCA or Custom). 

 

- If the vCenter manages the ESXi host with VMCA certificates.

Ensure that the advanced setting on the vCenter object is configured to 'vmca mode':

           

  1. Right-click the ESXi host, select Certificates, and then choose Renew Certificate.
  2. Once the process is complete, right-click the host again and select Refresh CA Certificates.

 

- If the vCenter manages the ESXi host with custom assigned certificates.

Ensure that the advanced setting on the vCenter object is configured to 'custom mode':

  1. Right-click the ESXi host, select Configure--> Certificates, Manage with External CA
  2. Select Refresh CA Certificates.

Additional Information

Change the certificate mode to custom. See Change the ESXi Certificate Mode

Powered by Wolken Software