"Cannot retrieve the requested certificate" error when configuring KMS on vCenter Server
search cancel

"Cannot retrieve the requested certificate" error when configuring KMS on vCenter Server

book

Article ID: 421181

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This issue is encountered when configuring a Key Management Server (KMS) in vCenter.

  • The operation fails with the error: "Cannot retrieve the requested certificate."

  • KMS Server Logs report's- "error handshaking connection: error="tls: first record does not look like a TLS handshake"
     

Environment

VMware vCenter Server 7.x, 8.x

Cause

This issue occurs because the Network Load Balancer (NLB) is blocking the network traffic required to complete the "retrieve certificate" operation. Consequently, the vCenter Server cannot establish the necessary trust with the KMS.

Resolution

To resolve this issue, validate the network connectivity and ensure that any intermediary devices (such as a Network Load Balancer or Firewall) are not interfering with the SSL handshake.

  1. Validate Network Connectivity Log in to the vCenter Server via SSH and run the following commands to verify connectivity to the KMS:
    • Verify Basic Connectivity (Ping):
      • ping <KMS_Server_IP>
    • Verify DNS Resolution: forward and reverse
      • nslookup <KMS_Server_IP>
    • Verify Port Connectivity (Port 5696):
      • curl -v telnet://<KMS_Server_IP>:5696
    • Verify SSL Handshake:
      • openssl s_client -connect <KMS_Server_IP>:5696
  2. Check Firewall Rules Ensure that no internal firewalls are blocking traffic from the vCenter Server to the KMS Server on port 5696
  3. vCenter Server behind a Network Load Balancer (NLB)
    • Add an exception or pass-through rule on the NLB to allow the vCenter Server to communicate directly with the KMS for the "Retrieve Certificate" operation without interception.
    • Engage Network Load Balancer Vendor for assistance
Powered by Wolken Software