"Provision failed for hosts : [host-<ID>, ]. Please try renewal or refresh of client certificates for valid ESXi Clients." when trying to refresh the VASA Client certificates on the Hosts.
search cancel

"Provision failed for hosts : [host-<ID>, ]. Please try renewal or refresh of client certificates for valid ESXi Clients." when trying to refresh the VASA Client certificates on the Hosts.

book

Article ID: 378665

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Refreshing the storage provider certificate fails with error "Provision failed for hosts : [host-<ID>,]. Please try renewal or refresh of client certificates for valid ESXi Clients. Ensure that hosts are healthy and valid as well as all VASA 5.0 or greater VVOL VASA Providers are online. com.vmware.sms.smsFault.locale"

  • On top of the same, any attempts to renew the ESXi certificate from the vSphere UI fails with the error "Unable to get signed certificate forhost: Error: Operation failed with error = ERROR_ACCESS-DENIED (5)"

  • The /var/log/vmware/vpxd/vpxd.log of the vCenter Server Appliance confirms that task to obtain VASA provider information fails.

    -->    faultCause = (vmodl.MethodFault) null,
    -->    faultMessage = <unset>,
    -->    reason = "Failed to get VasaProvider infoVVolLib_GetVendorProviders ipc failed."
    -->    msg = "Received SOAP response fault from [<<io_obj p:0x00007f1a04ae0568, h:86, <UNIX ''>, <UNIX '/var/run/envoy-hgw/hgw-pipe'>>, /hgw/host-101602/vpxa>]: GetVasaProviderInfoList
    --> Received SOAP response fault from [<<io_obj p:0x000000cafb3c7130, h:21, <TCP '127.0.0.1 : 48002'>, <TCP '127.0.0.1 : 8307'>>, /sdk>]: GetVasaProviderInfoList
    --> A general system error occurred: Failed to get VasaProvider infoVVolLib_GetVendorProviders ipc failed."
    --> }

  • The /var/log/vmware/vmcad/vmcad.log log of the vCenter Server Appliance confirms that the lookup of the user group DCAdmins inside CA Admin group is failing with error code 0x00000005

    info vmcad  t@<ID>: Checking upn: cn=CAAdmins,cn=Builtin,dc=vsphere,dc=local against CA admin group: 
    info vmcad  t@<ID>: Checking user's group: cn=DCAdmins,cn=Builtin,dc=vsphere,dc=local against CA admin group: cn=CAAdmins,cn=Builtin,dc=vsphere,dc=local
    YYYY-MM-DDT<time> info vmcad  t@<ID>: Checking upn: cn=CAAdmins,cn=Builtin,dc=vsphere,dc=local against CA admin group: 
    warning vmcad t@<ID>: error code: 0x00000005
    warning vmcad t@<ID>: error code: 0x00000005
    warning vmcad t@<ID>: error code: 0x0000000

Environment

VMware vCenter Server 7.x
VMware vCenter Server 8.x
VMware vSphere ESXi 7.x
VMware vSphere ESXi 8.x

Cause

The user group DCAdmins is missing inside the CAAdmins.

Resolution

Add the missing DCAdmins member inside CAAdmins in the vCenter Server vmdird database using jXplorer. Follow the detailed instructions below on how to do the same.

    1. Take a powered-off snapshot of the vCenter Server Appliance VM.

    2. Setup jXplorer in the local system. The detailed instructions on how to do the same can be found here- Using JXplorer to connect to the vSphere Single Sign-on

    3. Connect to the vCenter server using jXplorer.

    4. Navigate to Bulltin-> CAAdmins.

    5. Manually add the following missing members under CAAdmins (Note that the below example is of the domain name vsphere.local. Adjust the same as per your vSphere Domain Name).

      cn=DCAdmins,cn=Builtin,dc=vsphere,dc=local
      cn=DCClients,cn=Builtin,dc=vsphere,dc=local
Powered by Wolken Software