vSan Cluster Status shows "Failed to extract requested data. Check vSphere client logs for details"

Products

VMware vSAN

Issue/Introduction

Symptoms:

When trying to check the vSAN cluster status the summary tab is loading with following error:

Error: Failed to extract requested data. Check vSphere client logs for details

This issue is observed after renewing the vCenter server certificates.
The Skyline health menu option under Cluster->Monitor->vSAN is not loading in the vSphere UI.

The vSAN service menu option under Configure->vSAN is loading with the following Error: Unable to retrieve the cluster configuration. Check vSphere Client logs for details

Validation:

In the vCenter server webclient log file /var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log following errors pointing to vcenter server certificate issue:

Caused by: javax. net.ssl. SSLHandshakeException: com. vmware. vim. vmomi. client. exception. VlsiCertificateException: Server
at sun.security.ssl. Alerts. getSSLException (Alerts. java: 198)
at sun. security. ssl. SSLSocket Impl. fatal (SSLSocket Impl. java: 1967)
at sun. security. ssl. Handshaker . fatalSE (Handshaker . java: 333)
at sun. security. ssl. Handshaker. fatalSE (Handshaker. java: 327)
at sun. security. ssl. ClientHandshaker . serverCertificate (ClientHandshaker. java: 1689)
at sun. security.ssl. ClientHandshaker. processMessage (ClientHandshaker . java: 226)
at sun. security. ssl. Handshaker . processLoop (Handshaker . java: 1084)
at sun. security. ssl. Handshaker. process_record (Handshaker . java: 1012)
at sun. security. ssl. SSLSocket Impl. readRecord (SSLSocket Impl. java: 1079)
at sun. security. ssl. SSLSocket Impl. performInitialHandshake (SSLSocket Impl. java: 1388)
at sun.security. ssl. SSLSocket Impl. startHandshake (SSLSocket Impl. java: 1416)
at sun. security. ssl. SSLSocket Impl. start Handshake (SSLSocket Impl. java : 1400)
at com. vmware. vim. vmomi. client. http. impl. Thumbprint TrustManager $HostnameVerifier . verify (Thumbprint TrustManager . java: 472)
... 52 common frames omitted
Caused by: com. vmware. vim. vmomi. client. exception. VlsiCertificateException: Server certificate chain is not trusted and thumbprint verification is not configured
at com. vmware. vim. vmomi. client. http. impl. Thumbprint TrustManager . checkServerTrusted (Thumbprint TrustManager . java: 260)
at sun. security. ssl. AbstractTrustManager Wrapper . checkServerTrusted (SSLContext Impl. java: 1099)
at sun. security. ssl. ClientHandshaker. serverCertificate (ClientHandshaker . java: 1671)
... 60 common frames omitted
Caused by: sun. security. validator . ValidatorException: PKIX path building failed: sun.security. provider.certpath. SunCertPathBuilderException: unable to find valid certification path to requested target
at sun. security. validator . PKIXValidator . doBuild (PKIXValidator . java: 450)
at sun. security. validator. PKIXValidator. engineValidate (PKIXValidator . java: 317)
at sun. security. validator. Validator. validate (Validator. java: 262)
at sun. security.ssl. X509TrustManager Impl.validate (X509TrustManager Impl. java: 327)
at sun. security. ssl. X509TrustManager Impl.checkTrusted (X509TrustManager Impl. java: 236)
at sun. security. ssl. X509TrustManager Impl. checkServer Trusted (X509TrustManager Impl. java: 113)
at com. vmware. vim. vmomi. client. http. impl. Thumbprint TrustManager. checkServerTrusted (Thumbprint TrustManager. java: 236)
... 62 common frames omitted
Caused by: sun. security. provider.certpath. SunCertPathBuilderException: unable to find valid certification path to requested target

Environment

VMware vSAN 7.x
VMware vSAN 8.x

Cause

The SSL Trust Anchor Mismatch occurs when the certificates on the vCenter Server is replaced, but the service registrations with the VMware Lookup Service are not updated, causing connection failures due to outdated or mismatched SSL trust configurations.

Resolution

To resolve the issue, perform following steps:

Use lsdoctor tool for fixing SSL trust mismatch in the vCenter server. Using the 'lsdoctor' Tool

1. Upload the lsdoctor tool file to vCenter server.

2. Connect via ssh to vCenter server and extract the archived file.

3. Check the current status using the -l (lscheck) option.

# python lsdoctor.py -l

Sample Output showing SSL Trust Mismatch error:

ATTENTION: You are running a reporting function. This doesn't make any changes to your environment.
You can find the report and logs here: /var/log/vmware/lsdoctor

025-03-11T04:55:54 INFO main: You are reporting on problems found across the SSO domain in the lookup service. This doesn't make changes.
025-03-11T04:55:55 INFO live checkCerts: Checking services for trust mismatches ...
025-03-11T04:55:55 INFO generateReport: Listing lookup service problems found in SSO domain
025-03-11T04:55:55 ERROR generateReport: default-first-site\<vCenter-Cerver-FQDN> (VC 7.0 or CGW) found SSL Trust Mismatch: Please run python ls_doctor.py -- trust
ix option on this node.
025-03-11T04:55:55 INFO generateReport: Report generated:

4. If you can find any trust mismatch from the result of 3 then you can fix using t (trustfix) option.

# python lsdoctor.py -t

5. If running the 'trustfix' option, all services on vCenter need to be restarted. Use this command:

# service-control --stop --all && service-control --start --all

Running lsdoctor helps identify and fix trust anchor mismatches automatically.

Notes:

The 'lsdoctor -l' (lscheck) function can be run without any disruption of vCenter service.
If executing the trustfix (-t option), take an offline snapshot of the vCenter VM prior to executing it.
If is configured with vCenter High Availability (VCHA) enabled, it is recommended to remove VCHA and reconfigure it before taking the above steps.