Cannot Connect a Host to the vCenter - Authenticity of the Host's SSL Certificate is not verified.
search cancel

Cannot Connect a Host to the vCenter - Authenticity of the Host's SSL Certificate is not verified.

book

Article ID: 397961

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

A host is disconnected from the vCenter and cannot be reconnected. There is an alert in vSphere that says, "Authenticity of the Host's SSL Certificate is not verified."

Changing the vpxd.certmgmt.mode to "thumbprint" allows you to reconnect the host. However, when the user changes it back to "vmca" and tries to renew the host certificate and refresh the CA certificate from the UI, both succeeded, but the host reverts to a "not responding" state.

Verifying the certificates on the vCenter shows that they are all valid. Replacing all certificates on the vCenter with self-signed certificates and restarting services causes the vpxd service to fail to start.

The vpxd logs show the following error during service startup:

"Unable to open store vpx from VECS localhost. error:4312 error info: other failure."

Running the VCF Diagnostic Tool for vSphere (VDT) on the vCenter returns the following:

VC Machine ID Check

       [FAIL] Machine ID Check

                       Failed to process the vpxd.cfg file! Investigate the invalid XML

                       Documentation:       https://knowledge.broadcom.com/external/article?legacyId=82751

 

Environment

vCenter 8.0.3

Cause

This is caused by invalid entries in the /etc/vmware-vpx/vpxd.cfg file.

Resolution

Log into the vCenter via SSH.

Review and correct the invalid entries in the /etc/vmware-vpx/vpxd.cfg file.

XML validators like https://www.xmlvalidation.com/ can be used to find the line with incorrect entries. 

 

Additional Information

Example:

Reviewing the vpxd.cfg file revealed that invalid entries were added to the file. A user added a section for "PortReserveTimeoutInMin" at the end of the vpxd.cfg file that had some syntax errors and it was in the wrong place in the file.
</config> <--------------- This is where the file should end.
  <vpxd>                <-----------------This is an "open" XML bracket.
     <dvs>
          <PortReserveTimeoutInMin>7200</PortReserveTimeoutInMin>
      </dvs>
       <cert>       <-------------------This is another open bracket. This should have closing brackets for this statement to be complete.

<vpxd> is a section that is higher up in the file and it should have a closing </vpxd>
<cert> has the same issue and is actually part of the vpxd section higher in the file.
The dvs section is formatted correctly but, it should be under the vpxd section which is already listed earlier in the file.

Powered by Wolken Software