Cloud builder fails to validate ESXi hosts due to SSL and SSH thumbprint mismatch.
search cancel

Cloud builder fails to validate ESXi hosts due to SSL and SSH thumbprint mismatch.

book

Article ID: 378251

calendar_today

Updated On:

Products

VMware SDDC Manager VMware vSphere ESX 7.x VMware vSphere ESX 8.x

Issue/Introduction

The Cloud builder pre-deployment validation fails with the message:

"SSL thumbprint for ESXi [email protected] is not matching. Expected 'SHA256xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', actual 'SHA256wyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy'" 

vcf-bringup-debug.log will report the following: 

Collected the following errors for task with name SkipRemainingValidationItemsOnFailure and ID 7f000001-9223-1517-8192-24123a1400aa: [ExecutionError [errorCode=null, errorResponse=LocalizableErrorResponse(messageBundle=com.vmware.evo.sddc.common.core.error.messages)]]
2024-09-24T12:47:22.862+0000 [bringup,66f2b4dabb1f3102be3ba60db188854a,2cf4] DEBUG [c.v.e.s.o.c.ProcessingTaskSubscriber,pool-2-thread-4] Invoking task SkipRemainingValidationItemsOnFailure.UNDO Description: Skip Remaining Validation Items On Failure Event, Plugin: BringupValidationPlugin, ParamBuilder null, Input map: {responses={SecurePlatformAudit____4__AuditEsxiHostSecurityThumbprintsActionResponse,Sec
urePlatformAudit____4__InstallCertificatesOnCbActionResponse,SecurePlatformAudit____4__TrustSshKeysActionResponse,SecurePlatformAudit____4__AuditEsxiHostSecureConnectionResponse}, exceptionMessage='SecurePlatformAudit has detected security issues all remaining tasks should be skipped.'}, Id: 7f000001-9223-1517-8192-24123a1400a9 ...
2024-09-24T12:47:22.869+0000 [bringup,66f2b4dabb1f3102be3ba60db188854a,2cf4] DEBUG [c.v.e.s.o.c.c.ContractParamBuilder,pool-2-thread-4] Contract task Skip Remaining Validation Items On Failure Event input: {"exceptionMessage":"SecurePlatformAudit has detected security issues all remaining tasks should be skipped.","responses":[{"errorCode":"*****","arguments":[],"context":{"severity":"ERROR","bundleName":"
com.vmware.evo.sddc.common.validation.errors.messages","validation.taskId":"7f000001-9223-1517-8192-24123a0c00a0"},"message":"Preparing Security Requirements for Running Validation Failed","nestedErrors":[{"errorCode":"*****","arguments":["SSL","ESXi","ESXi01.gslabs.local","1B71517254D5D151718254D5DEE0B3965DD5F6F1723D620DFB25D75129DDDEF01BEE7BF7B1","8725AD0AFC95C6398AC2D71ED14B701A627B26AC3F1F15518F282AA26051E889

Environment

VCF 4.x 5.x 

Cause

The issue occurs, due to incorrect SSL and SSH thumbprint input on the workbook parameter spread sheet: 

Resolution

  • Input the correct SSH and SSL certificate for the respective hosts on the workbook prater spreadsheet.
  • The thumbprint can be obtained by the following methods. 
  • For SSL thumbprint: 
    • From the ssh session of the ESXI host run the command : openssl x509 -in /etc/vmware/ssl/rui.crt -fingerprint -sha256 -noout

                          Or 

    • From the remote host : echo -n | openssl s_client -connect <esxihost_FQN:443 2>/dev/null | openssl x509 -noout -fingerprint -sha256

                         OR 

    • From the DCUI -> System Customization -> view Support information 
  • For the SSH thumbprint : 
    • From remote severs: ssh-keygen -lf <(ssh-keyscan IP_address_of_esxi 2>/dev/null)

                        Or 

    • From the DCUI -> System Customization -> view Support information
Powered by Wolken Software