Unable to find ECDSA host key on fileserver, error when performing NSX Backup Configuration
search cancel

Unable to find ECDSA host key on fileserver, error when performing NSX Backup Configuration

book

Article ID: 422009

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • When trying to setup NSX Backup Configuration, you see the error

    Error: Unable to find ECDSA host key on <FQDN_OF_BACKUP_SERVER> at port 22 (Error code: 29271)
  • Log Entries similar to below in nsxapi.log

    ####-##-##T##:0####.346Z  INFO http-nio-xxx.xxx.xx.xx.-exec-147 UI_LOG 5325 - [nsx### comp="nsx-manager" level="INFO" reqId="#####-#####-#####-######" subcomp="manager" username="############] {"user":"S########","message":"Api Errors->","messageData":{"headers":{"normalizedNames":{},"lazyUpdate":null},"status":400,"statusText":"Bad Request","url":"https://#############.#########?action=retrieve_ssh_fingerprint","ok":false,"name":"HttpErrorResponse","message":"Http failure response for https://#############.#####.#####api/v1/cluster/backups?action=retrieve_ssh_fingerprint: 400 Bad Request","error":{"httpStatus":"BAD_REQUEST","error_code":29271,"module_name":"backup-restore","error_message":"Error: Unable to find ECDSA host key on fileserver ####.####.#### at port 22 (Error code: 29271)","error_data":{"status":400}}},"level":
  • While configuring SDDC backup from VCF-operation UI, the workflow fails in configuring NSX backup

    Error Message: Failed to configure NSX Backup Schedule for NSX Managers -[<FQDN_OF_BACKUP_SERVER>]

Cause: InvalidRequest (com.vmware.vapi.std.errors.invalid_request) (statusCode:400) => { messages = [], data = => {error_message=Unable tofind ECDSA host key on fileserver <FQDN_OF_BACKUP_SERVER> at port 22, httpStatus=BAD_REQUEST, error_code=29271, module_name=backup-restore}, errorType = INVALID_REQUEST }

Environment

VMware NSX 4.2.1

Cause

NSX Manager is configured to strictly accept only the "ecdsa-sha2-nistp256" key, where as the destination backup server is offering a "ecdsa-sha2-nistp384" or "ecdsa-sha2-nistp521" key.  The bit-lengths (256 vs 384) are different and therefore the TLS Handshake did not complete. 


Resolution

  1. Perform a key scan on the destination file server, to verity the the ECDSA key bit. 

    root@#######:~# ssh-keyscan -t ecdsa { ftpserver FQDN } 

    Example Output ####.####.local:22 SSH-2.0-###### ######.#####.local ecdsa-sha2-nistp384 ###@@###


  2. Generate a ECDSA 256 bit key on the destination file server. (Please contact your backup server vendor for the exact commands)

    Example :  ssh-keygen -t ecdsa -b 256 -f /etc/ssh/ssh_host_ecdsa_key

  3. Restart the SSH service in backup server to apply changes

  4. Retry the NSX Backup configuration or schedule from the SDDC/NSX Manager UI.

Additional Information

Powered by Wolken Software