Adding host with FQDN fails with error "Unable to get CSR from host"
search cancel

Adding host with FQDN fails with error "Unable to get CSR from host"

book

Article ID: 411656

calendar_today

Updated On:

Products

VMware vSphere ESXi 8.0

Issue/Introduction

  • The task of adding ESXi host to vCenter server stucks at 16% or 80% then fails with error "A general system error occurred: Unable to get CSR from host <FQDN>."
  • vpxd.certmgmt.certs on vCenter is vmca
  • vCenter server /var/log/vmware/vpxd/vpxd.log has below error:

     
    YYYY-MM-DDThh:mm:ss.zzzZ warning vpxd[28035] [Originator@6876 sub=HttpConnectionPool-000001 opID=xxxx:70076025-24] Failed to get pooled connection; <cs p:00007f429c2098a0, TCP:<Host FQDN>:443>, SSL(<io_obj p:0x00007f4210129280, h:95, <TCP 'vCenter IP : 34600'>, <TCP '<Host IP> : 443'>>), duration: 10msec, N7Vmacore3Ssl18SSLVerifyExceptionE(SSL Exception: Verification parameters:
--> PeerThumbprint: XXXX
--> ExpectedThumbprint:
--> ExpectedPeerName: <Host FQDN>
--> The remote host certificate has these problems:
-->
--> * unable to get local issuer certificate)
  • Can add host with IP
  • Regenerate ESXi host certificate using the command /sbin/generate-certificates does not work.

Environment

ESXi 8.0U3

Cause

vCenter Server is unable to recognize the issuer on the certificated used by the ESXi host.

The certificate on the host can change if

  • Host certificate was manually refreshed using the command, /sbin/generate-certificates.
  • Host was removed and connected to another vCenter Server.

Resolution

To resolve this issue, follow the below steps

  1. Take Snapshot of the vCenter. (Offline Snapshot if vCenter are in ELM).
  2. Click on the vCenter object on top left in the Inventory.
  3. Click on the Configure Tab -> Advanced Settings.
  4. Set the vpxd.certmgmt.mode to thumbprint from vmca.
  5. SSH to vCenter
  6. Restart the vpxd Service.
    service-control --restart vpxd
  7. Reconnected the Host with FQDN

After connecting the host

  1.  change vpxd.certmgmt.mode to vmca
  2.  Restart the vpxd Service.
  3. Click the host and renew certificate and refresh VMCA
  4. Disconnect and remove host
  5. Re-add host with FQDN

As a workaround, If vCenter Server cannot be restarted, 

  1. Rename the ESXi hostname.
  2. Add/update DNS records
  3. Refresh certificates using the command /sbin/generate-certificates
  4. Restart management services
  5. Add ESXi host to vCenter Server using the new FQDN.

Additional Information

Connecting an ESXi host in vCenter fails with error: A general system error occurred: Host management agents not reachable on host

Powered by Wolken Software