Persistent "Key Management Servers information is inconsistent with cluster configuration" alert in vSAN Skyline Health and there's no change selecting to remediate the inconsistency
search cancel

Persistent "Key Management Servers information is inconsistent with cluster configuration" alert in vSAN Skyline Health and there's no change selecting to remediate the inconsistency

book

Article ID: 399932

calendar_today

Updated On:

Products

VMware vSAN

Issue/Introduction

Disconnecting and reconnecting ESXi hosts to vCenter has no impact

Changes to KMS certificates are not being sent to hosts & no "Update vSAN configuration" host tasks which are typical when vSAN cluster configuration changes are made

From vmware-vsan-health-summary-result.log we see the only alert detail is KeyManagementServersInformationIsInconsistentWithClusterConfiguration

From vmware-vsan-health-service.log we see the remediation failing with the following permission denied error

2025-04-15T16:34:35.395Z ERROR vsan-mgmt[10636] [VsanClusterPrototypeImpl::RemediateCluster opID=W253] RemediateCluster failed: [Errno 13] Permission denied: '/etc/vmware-vpx/ssl/vcsoluser.key'

Listing the directory reveals no read permissions for group or other (0600)

-rw------- 1 root cis 1703 Sep 14 2023 vcsoluser.key

Environment

7.0 U3

Cause

There is no component of the VCSA that would change the file permission of vcsoluser.key to 0600, so this is a user error

Resolution

Run the following command on the VCSA and validate expected permissions (-rw-r--r--)

# chmod 0644 /etc/vmware-vpx/ssl/vcsoluser.key

Reboot the VCSA & select to remediate the inconsistent configuration through the alert

Powered by Wolken Software