vSphere HA warning on cluster following upgrade of vCenter to 8.0.3 Insufficient configured resources
search cancel

vSphere HA warning on cluster following upgrade of vCenter to 8.0.3 Insufficient configured resources

book

Article ID: 374441

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • Following the upgrade of vCenter from any version to 8.0.3, HA-enabled clusters begin to show the following warning:
    "Insufficiently configured resources to satisfy the desired vSphere HA failover level on the cluster"

    "All the ESXi host within the cluster HA status showing as 'election' "





In ESXi Host EDM logs:

  • YYYY-MM-DDTHH:1MM:17.656Z warning fdm[9749654] [Originator@6876 sub=IO.Connection opID=WorkQueue-6c8eb045] Failed to SSL handshake; SSL(<io_obj p:0x000000dd4c945180, h:9, <TCP 'XXX.XXXX.XXX.XXX : 38750'>, <TCP 'XXX.XXXX.XXX.XXX : 8182'>>), e: 336134278(certificate verify failed (SSL routines, ssl3_get_server_certificate)), duration: 2msecYYYY-MM-DDTHH:1MM:17.656Z error fdm[9749521] [Originator@6876 sub=Message opID=WorkQueue-6c8eb045] Error N7Vmacore3Ssl18SSLVerifyExceptionE(SSL Exception: Verification parameters:
    --> PeerThumbprint: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
    --> ExpectedThumbprint:
    --> ExpectedPeerName: example.com
    --> The remote host certificate has these problems:
    --> * Host name does not match the subject name(s) in certificate.)
    --> [context]zKq7AVECAQAAAPONbgEKZmRtAIAsc4EBZmRtAIB7TWoBgMiVagGA9JhqAYCqmmoBgL7/awGAoDBsAYBryIwBATt9AGxpYnB0aHJlYWQuc28uMAACbdEObGliYy5zby42AA==[/context] on handshake

  • YYYY-MM-DDTHH:1MM:22.643Z warning fdm[9742468] [Originator@6876 sub=IO.Connection opID=WorkQueue-3bf3f956] Failed to SSL handshake; SSL(<io_obj p:0x0000007a57967830, h:31, <TCP 'XXX.XXXX.XXX.XXX : 8182'>, <TCP 'XXX.XXXX.XXX.XXX : 58141'>>), e: 336151608(tlsv1 alert internal error (SSL routines, ssl3_read_bytes)), duration: 3msec

  • YYYY-MM-DDTHH:1MM:22.643Z error fdm[9742480] [Originator@6876 sub=Message opID=WorkQueue-3bf3f956] Error N7Vmacore3Ssl12SSLExceptionE(SSL Exception: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error)--> [context]zKq7AVECAQAAAPONbgEKZmRtAIAsc4EBZmRtAICJEWcBgGuWagGA9JhqAYCqmmoBgL7/awGAoDBsAYBryIwBATt9AGxpYnB0aHJlYWQuc28uMAACbdEObGliYy5zby42AA==[/context] creating ssl stream or doing handshake

  • YYYY-MM-DDTHH:1MM:22.649Z warning fdm[9742479] [Originator@6876 sub=IO.Connection opID=WorkQueue-e769bda] Failed to SSL handshake; SSL(<io_obj p:0x0000007a57945c10, h:28, <TCP 'XXX.XXXX.XXX.XXX : 8182'>, <TCP 'XXX.XXXX.XXX.XXX : 58142'>>), e: 336151608(tlsv1 alert internal error (SSL routines, ssl3_read_bytes)), duration: 2msec

Environment

VMware vCenter Server 8.0.3

Cause

  • Self-signed certificates on ESXi hosts are no longer supported by vCenter.

  • In environments where ESXi hosts have self-signed certificates and the advanced setting in vCenter, 'vpxd.certmgmt.mode,' is set to 'thumbprint,' ESXi hosts with self-signed certificates can be added to vCenter. However, vSphere HA will not successfully enable due to the unsupported certificate.

Resolution

  • A recommended best practice for ease of management is to have vCenter manage the ESXi host certificates.
  • Ensure that the advanced setting on the vCenter object is configured to 'VMCA mode':

           

  1. Right-click the ESXi host, select Certificates, and then choose Renew Certificate.
  2. Once the process is complete, right-click the host again and select Refresh CA Certificates.
Powered by Wolken Software