Custom certificate on an ESXi host is not accepted by the vCenter Server. Error: A general system error occurred: SSL Exception: Verification Parameters: PeerThumbprint
search cancel

Custom certificate on an ESXi host is not accepted by the vCenter Server. Error: A general system error occurred: SSL Exception: Verification Parameters: PeerThumbprint

book

Article ID: 399507

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • After renewing the Custom certificate in an ESXi host, removing the host from maintenance mode fails with the following error:

Error: A general system error occurred: SSL Exception: Verification parameters: PeerThumbprint: 4B:AD:D6:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:## ExpectedThumbprint: C0:FF:F3:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:## ExpectedPeerName: localhost.localdomain The remote host certificate has these problems: * Host name does not match the subject name(s) in certificate.

  • Certificate's Subject Alternative Name matches the hostname.
  • /var/run/log/vpxa.log

YYYY-MM-DDTHH:MM Wa(164) Vpxa[12978898]: [Originator@6876 sub=Vmomi opID=######-168376-auto-3lx5-h5:######-8c-65] VMOMI activation LRO failed; <<########-####-####-####-########e650, <TCP '127.0.0.1 : 8089'>, <TCP '127.0.0.1 : 35242'>>, vpxa, vpxapi.VpxaService.exitMaintenanceMode, <vpxapi.version.v8_0_x_0, official, 8.0.x.0>, (null)>, N5Vmomi5Fault11SystemError9ExceptionE(Fault cause: vmodl.fault.SystemError

  • /var/run/log/hostd.log

YYYY-MM-DDTHH:MM Wa(164) Hostd[12977221]: [Originator@6876 sub=HttpConnectionPool-000048] Failed to get pooled connection; <cs p:000000844223e0d0, TCP:localhost.localdomain:80>, SSL(<io_obj p:0x000000840df138f0, h:15, <TCP '127.0.0.1 : 58290'>, <TCP '127.0.0.1 : 80'>>), duration: 3msec, N7Vmacore3Ssl18SSLVerifyExceptionE(SSL Exception: Verification parameters:
YYYY-MM-DDTHH:MM Wa(164) Hostd[12977191]: --> PeerThumbprint: 4B:AD:D6:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##
YYYY-MM-DDTHH:MM Wa(164) Hostd[12977191]: --> ExpectedThumbprint: C0:FF:F3:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##
YYYY-MM-DDTHH:MM Wa(164) Hostd[12977191]: --> ExpectedPeerName: localhost.localdomain
YYYY-MM-DDTHH:MM Wa(164) Hostd[12977191]: --> The remote host certificate has these problems:
YYYY-MM-DDTHH:MM Wa(164) Hostd[12977191]: -->
YYYY-MM-DDTHH:MM Wa(164) Hostd[12977191]: --> * Host name does not match the subject name(s) in certificate.)
YYYY-MM-DDTHH:MM In(166) Hostd[12977221]: [Originator@6876 sub=IO.Http] Set user agent error; state: 1, (null), N7Vmacore3Ssl18SSLVerifyExceptionE(SSL Exception:Verification parameters:

  • /var/log/vmware/vpxd/vpxd.log.

YYYY-MM-DDTHH:MM warning vpxd[07035] [Originator@6876 sub=Vmomi opID=maie6jqz-168376-auto-3lx5-h5:######-8c] VMOMI activation LRO failed; <<########-####-####-####-########4b6e, <TCP '127.0.0.1 : 8085'>, <TCP '127.0.0.1 : 46176'>>, <Host_moid>, vim.HostSystem.exitMaintenanceMode, <vim.version.v8_0_x_0, internal, 8.0.x.0>, (null)>, N5Vmomi5Fault11SystemError9ExceptionE(Fault cause: vmodl.fault.SystemError
--> )
--> 
YYYY-MM-DDTHH:MM info vpxd[07035] [Originator@6876 sub=vpxLro opID=maie6jqz-168376-auto-3lx5-h5:######-8c] [VpxLRO] -- FINISH task-4649913
YYYY-MM-DDTHH:MM error vpxd[07035] [Originator@6876 sub=Default opID=maie6jqz-168376-auto-3lx5-h5:######-8c] [VpxLRO] -- ERROR task-4649913 -- ########-####-####-####-########4b6e(########-####-####-####-########504a) -- <Host_moid> -- vim.HostSystem.exitMaintenanceMode: :vmodl.fault.SystemError
--> Result:
--> (vmodl.fault.SystemError) {
-->    faultCause = (vmodl.MethodFault) null,
-->    faultMessage = <unset>,
-->    reason = "SSL Exception: Verification parameters:
--> PeerThumbprint: 4B:AD:D6:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##
--> ExpectedThumbprint: C0:FF:F3:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##
--> ExpectedPeerName: localhost.localdomain
--> The remote host certificate has these problems:
-->
--> * Host name does not match the subject name(s) in certificate."
-->    msg = "A general system error occurred: SSL Exception: Verification parameters:
--> PeerThumbprint: 4B:AD:D6:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##
--> ExpectedThumbprint: C0:FF:F3:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##
--> ExpectedPeerName: localhost.localdomain
--> The remote host certificate has these problems:
-->
--> * Host name does not match the subject name(s) in certificate."
--> }
--> Args:
-->
--> Arg timeout:
--> 0

Cause

  • vpxa facilitates communication between ESXi and vCenter. After certificate renewal, a mismatch occurred between the cached state in vpxa and the updated certificate.
  • Log entries showed VMOMI activation failed errors, even though the certificate contained the correct SAN entries and was otherwise valid.

Resolution

  • Reboot the ESXi host after certificate renewal while it is in maintenance mode to clear the cached state of the vpxa service, then reconnected the host to vCenter.
  • Remove the host from maintenance mode only after successful reconnection.
Powered by Wolken Software