VCF ESXi Host Pre-Checks Fails at: 'Check if host certificate will be valid during the next 30 days'
search cancel

VCF ESXi Host Pre-Checks Fails at: 'Check if host certificate will be valid during the next 30 days'

book

Article ID: 430184

calendar_today

Updated On:

Products

VMware SDDC Manager / VCF Installer VMware Cloud Foundation

Issue/Introduction

  • When performing host upgrades or updates within SDDC Manager, the pre-check workflow fails during the ESXi host certificate validation phase.
  • Pre-check task "Check if host certificate will be valid during the next 30.0 days" returns a status as ERROR.
  • Error Description: "Host certificate has expired or is going to expire in the next 30.0 days".
  • Lifecycle Management (LCM) operations are blocked for the affected workload domain or host.

Environment

  • VMware Cloud Foundation 4.x
  • VMware Cloud Foundation 5.x

Cause

VCF LCM pre-check workflow includes a validation check where it requires that all ESXi host certificates remain valid for at least 30 days from the time the pre-check is executed. If a certificate is already expired, or if its expiration date falls within this 30-day buffer, the pre-check fails to prevent a certificate expiration event from occurring during or immediately after the upgrade process.

Resolution

To resolve this issue, renew the ESXi host certificate to ensure the certificate validity period exceeds 30 days.

  • Renewing the ESXi Host Certificate Using VMCA

    1. Log in to the vSphere Client for the vCenter Server managing the affected ESXi hosts.
    2. Navigate to Hosts and Clusters.
    3. Select the affected ESXi host.
    4. Click the Configure tab.
    5. Under System, select Certificate.
    6. Click Renew to regenerate the host certificate.

      Note: By default, this operation uses the VMware Certificate Authority (VMCA) to issue a new certificate. After the certificate is renewed, confirm that the Expiration Date reflects the updated validity period.

      Reference: Renew or Refresh ESXi Certificates 

    7. Return to the SDDC Manager UI:
    8. Navigate to the Updates/Patches tab for the affected Workload Domain.
    9. Click Re-run Pre-checks.
       
  • If Using CA-Signed (Custom) Certificates

    1. If the environment is configured to use custom CA-signed certificates instead of VMCA, follow the appropriate procedure to replace or renew the ESXi host certificate using your Certificate Authority.

      Refer to the relevant KB article: Configuring CA signed certificates for ESXi hosts

    2. After replacing the certificate and verifying the updated expiration date, re-run the pre-checks in SDDC Manager.

Additional Information

Refer for prerequisites: Renew or Refresh ESXi Certificates

Powered by Wolken Software