Supervisor control plane VM has Configuration error "Configured Control Plane VMs Configuration error (since MM/DD/YYYY, HH:MM:SS) The control plane VM XXXXXXXXXXXXXXXXXXXX72 was unable to validate the vCenter (FQDN of VC) "

search cancel

Supervisor control plane VM has Configuration error "Configured Control Plane VMs Configuration error (since MM/DD/YYYY, HH:MM:SS) The control plane VM XXXXXXXXXXXXXXXXXXXX72 was unable to validate the vCenter (FQDN of VC) "

book

Article ID: 423539

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere Kubernetes Service VMware Tanzu Platform - Kubernetes

Issue/Introduction

On the Workload Management page, the Supervisor Cluster appears in an error configuration state.

Cluster Error Message:
The configured control plane VMs cluster XXXXXX-XXXX-XXXX-XXXX-XXXXX is unhealthy, as the server is requesting client authentication credentials.

Supervisor control plane VMs has configuring error :

Message:

Configuration error (since MM/DD/YYYY, HH:MM:SS).
The control plane VM XXXXXXXXXXXXXXXXXXXX72 was unable to validate the vCenter certificate(FQDN). The vCenter server certificate is invalid.

was

Environment

VMware vSphere with Tanzu

Cause

The issue occurred due to an invalid or expired certificate on the vCenter Server. During the configuration of the Supervisor control plane VM, the control plane was required to validate the vCenter Server certificate using the configured FQDN. Since the Machine SSL certificate presented by vCenter was no longer valid, the certificate validation failed, resulting in the Supervisor control plane VM being unable to complete its configuration.

Resolution

Verify vCenter Server Certificates:

vCenter Server certificates can be verified using either the vSphere Client (UI) or SSH access.

Verification via vSphere Client (UI) :

Log in to the vSphere Client.
Navigate to Administration > Certificates > Certificate Management.
Verify the status and validity of all certificates listed, including:
- Machine SSL Certificate
- STS Signing Certificate
- Trusted Root Certificates

Important Note:

Before performing any vCenter certificate renewal, ensure that a snapshot of the vCenter Server is taken.

Refer to the following best-practice documentation for guidance:

See "Snapshot Best practices for vCenter Server Virtual Machines" and "VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice" for more information

Certificate Renewal for vCenter Server:

If any certificates are found to be expired:

Renew the vCenter Server certificates using the vCert tool.
Certificate status can also be verified directly from the vCenter Server using SSH with the vCert utility.

For detailed steps, refer to the following article:

vCert – Scripted vCenter Expired Certificate Replacement

Feedback

thumb_up Yes

thumb_down No