vSAN Health error after removing stale KMS certificate
search cancel

vSAN Health error after removing stale KMS certificate

book

Article ID: 396932

calendar_today

Updated On:

Products

VMware vSAN VMware vCenter Server

Issue/Introduction

  • Following the removal of a stale/expired KMS certificate from the vCenter Endpoint Certificate Store (VECS), vSAN Skyline Health may show the following alert for data-at-rest encrypted vSAN clusters.
    • vSAN cluster configuration consistency - Key management servers information is inconsistent with cluster configuration
  • The following log entry is seen in vmware-vsan-health-service.log on vCenter.
    • 2025-04-14T20:17:12.465Z WARNING vsan-mgmt[09446] [VsanHealthEncUtil::_AggregateEncryptionConfigHealth opID=noOpId] Host: hostname.domain.com has encryptionIssues: ['servercertificatesinconsistent']
      2025-04-14T20:17:12.465Z INFO vsan-mgmt[09446] [VsanHealthEncUtil::_CompareKmsServerCerts opID=noOpId] VC certs ['XX:...:XX', 'YY:...:YY', 'ZZ:...:ZZ',] doesn't equal hosts (str)

Environment

vCenter Server 7.x

vCenter Server 8.x

vSAN 7.x

vSAN 8.x

Cause

An existing data-at-rest encrypted vSAN cluster is not aware of the KMS certificate change following its removal from the vCenter Endpoint Certificate Store (VECS). 

Resolution

  1. Before proceeding, ensure that the applicable KMS entry in vCenter shows connected and healthy.
    1. vCenter UI-->vCenter object in the inventory-->Configure-->Security-->Key Providers-->select KMS entry. 
    2. Example of a healthy entry:
  2. Check vSAN Skyline Health and select the vSAN cluster configuration consistency alert.
  3. Select Remediate Inconsistent Configuration.
    1. The action should push the updated KMS certificate from vCenter to the hosts thus synchronizing their view.  A shallow rekey should not be necessary but caution should be taken when remediating any inconsistency that has potential to initiate a large amount of data resync.

Additional Information

The following KB may have been used to remove the stale/expired KMS certificates from the vCenter Endpoint Certificate Store (VECS):

Expired KMS server certificate will not be automatically removed from vecs store

Powered by Wolken Software