Bringup fails at 'Preparing Security Requirements for Running Validation' stage with error "Error connecting to ESXi Host <host_FQDN>
search cancel

Bringup fails at 'Preparing Security Requirements for Running Validation' stage with error "Error connecting to ESXi Host <host_FQDN>

book

Article ID: 393515

calendar_today

Updated On:

Products

VMware SDDC Manager

Issue/Introduction

The host's default certificate has been replaced with a custom certificate

Error in UI:

The var/log/vmware/vcf/bringup/bringup.log contains entries similar to:

com.vmware.vim.vmomi.client.exception.SslException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target                                                                                                                             
        at com.vmware.vim.vmomi.client.common.impl.ResponseImpl.setError(ResponseImpl.java:265) 

 

 

Environment

VCF 5.2.x

Cause

This issue occurs because the Cloud Builder is unable to trust the host certificate.

Resolution

Import the host certificate into the Cloud Builder truststore:

  • 1) Get the cert from the host:

openssl s_client -showcerts -connect <esxi-fqdn>:443 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > esx.pem

  • 2) Delete the existing host certificate from CB trust store:

keytool -delete -alias esxi-fqdn -keystore /usr/lib/jvm/openjdk-java17-headless.x86_64/lib/security/cacerts -storepass changeit 

(The host's alias in the truststore is normally the esxi FQDN)

  • 3) Import the new cert:

keytool -import -alias esx -keystore /usr/lib/jvm/openjdk-java17-headless.x86_64/lib/security/cacerts -file esx.pem -storepass changeit

  • 4) Repeat for all hosts that are included in the bringup. 
Powered by Wolken Software