Unable to add ESXi host to vCenter with error: "Unable to push signed certificate to host"
Article ID: 384769
Updated On:
Products
Issue/Introduction
Administrators may encounter failures when attempting to manage or patch an ESXi host within a vCenter Server environment. This issue typically presents with the following symptoms:
Host Addition Failure: Adding an ESXi host to the vCenter Server fails with the error message:
Unable to push signed certificate to host.Patching Failure: Attempting to patch the ESXi host fails with the error:
An error occurred during host configuration: /usr/sbin/esxupdate returned with exit status: 15.Log Errors: The /
var/run/log/esxupdate.logfile shows an outdated or incorrect system time (e.g., dates defaulting back to 1998) alongside the error:Could not find a trusted signer: certificate is not yet valid.
YYYY-MM-DDTHH:MM:SS Er(11) esxupdate[2103488]: vmware.esximage.Errors.InstallationError: VMware_bootbank_esx-update_8.0.3-0.60.24585383, VMware_bootbank_loadesx_8.0.3-0.60.24585383: Failed to setup patcher for upgrade: ('VMware_bootbank_esx-update_8.0.3-0.60.24585383', 'Could not find a trusted signer: certificate is not yet valid')
- The
hostdlogs flag a certificate warning regarding the time check:vim.hostd.vimsvc.certificateManager.checkTime.
- The
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2098446]: -----END CERTIFICATE-----YYYY-MM-DDTHH:MM:SS In(166) Hostd[2098446]: [Originator@6876 sub=Solo. Vmomi opID=<opID>: user=vpxuser : DOMAIN\USERNAME] Throw vim.fault.HostConfigFaultYYYY-MM-DDTHH:MM:SS In(166) Hostd[2098446]: (vim. fault. HostConfigFault) {YYYY-MM-DDTHH:MM:SS In(166) Hostd[2098446]: faultMessage = (vmodl. LocalizableMessage ) [YYYY-MM-DDTHH:MM:SS In(166) Hostd[2098446]: (vmodl. LocalizableMessage ) {YYYY-MM-DDTHH:MM:SS In(166) Hostd[2098446]: key = "vim.hostd.vimsvc.certificateManager.checkTime"
Environment
- VMware vSphere ESXi 7.x
- VMware vSphere ESXi 8.x
Cause
- This issue occurs when the ESXi host's system time is out of sync with the vSphere network. Because digital certificates rely heavily on strict time validations, an incorrect system clock causes the host to view the vCenter's pushed certificates as "not yet valid," forcing the connection or patching process to fail.
Resolution
Correct the system time on the affected ESXi host and configure it to sync properly with your network's time protocol.
Step 1: Verify the Current System Time
Establish an SSH connection to the affected ESXi host and log in as
root.Run the
datecommand to verify the host's current date and time. If it is significantly out of sync with your network time, proceed to Step 2.
Step 2: Synchronize System Time
You can correct the time manually or by configuring a time synchronization service via the vSphere Client.
Option A: Configure Time via the vSphere Client
Log in to the vSphere Client and select the target ESXi host.
Navigate to the time configuration settings.
Manually update the date and time to match your vCenter Server, or select a synchronization method:
Sync to NTP (Network Time Protocol)
Sync to PTP (Precision Time Protocol)
Ensure the chosen service (NTP or PTP) is actively running and managing the host's time.
Option B: Configure Network Time Protocol (NTP) Servers For long-term stability, it is highly recommended to configure both your ESXi hosts and the vCenter Server to use the same Network Time Protocol (NTP) servers.
In the vSphere Client, update the ESXi host settings to point to your organization's designated NTP server.
Verify that the vCenter Server is also pointed to the same NTP server to ensure continuous synchronization across the environment.
Once the time has been corrected and synchronized, retry adding the ESXi host to vCenter or running the patch installation.
Additional Information
Feedback
