Enabling Host Encryption Fails With Error CreateKey Failed on the Key Provider
search cancel

Enabling Host Encryption Fails With Error CreateKey Failed on the Key Provider

book

Article ID: 438448

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • Attempts to re-enable host encryption on a specific ESXi host fail with a "General run time error." on the key provider." 
  • The /vpxd/vpxd.log would report, 

"Cannot generate key. CreateKey failed

  • The /var/log/vmware/vmafd/vmafdd.log would the the following errors: 

YYYY:MM:DDTHH:MM:SS.Z [vmafdd][ERROR] [Error - 4312, lotus/vmafd/server/vmafd/vecsserviceapi.c:962]
YYYY:MM:DDTHH:MM:SS.Z [vmafdd][ERROR] ERROR! [VecsIpcGetEntryByAlias] is returning  [4312]
YYYY:MM:DDTHH:MM:SS.Z [vmafdd][ERROR]  (alias trustedCert_3-kms_fqdn_alias from store ID 13) returned > error: 4312 
YYYY:MM:DDTHH:MM:SS.Z [vmafdd][ERROR] [Error - 4312, lotus/vmafd/server/vmafd/vecsserviceapi.c:962]
YYYY:MM:DDTHH:MM:SS.Z [vmafdd][ERROR] ERROR! [VecsIpcGetEntryByAlias] is returning  [4312]
YYYY:MM:DDTHH:MM:SS.Z [vmafdd][ERROR] GetEntryByAlias (alias trustedCert_4-kms_fqdn_alias from store ID 13) returned > error: 4312 
YYYY:MM:DDTHH:MM:SS.Z [vmafdd][ERROR] [Error - 4312, lotus/vmafd/server/vmafd/vecsserviceapi.c:962]
YYYY:MM:DDTHH:MM:SS.Z [vmafdd][ERROR] ERROR! [VecsIpcGetEntryByAlias] is returning  [4312]
YYYY:MM:DDTHH:MM:SS.Z [vmafdd][ERROR] GetEntryByAlias (alias trustedCert_5-kms_fqdn_alias from store ID 13) returned > error: 4312 
YYYY:MM:DDTHH:MM:SS.Z [vmafdd][ERROR] [Error - 4312, lotus/vmafd/server/vmafd/vecsserviceapi.c:962]
YYYY:MM:DDTHH:MM:SS.Z [vmafdd][ERROR] ERROR! [VecsIpcGetEntryByAlias] is returning  [4312]
YYYY:MM:DDTHH:MM:SS.Z [vmafdd][ERROR] GetEntryByAlias (alias trustedCert_6-kms_fqdn_alias from store ID 13) returned > error: 4312 
YYYY:MM:DDTHH:MM:SS.Z [vmafdd][ERROR] [Error - 4312, lotus/vmafd/server/vmafd/vecsserviceapi.c:962]
YYYY:MM:DDTHH:MM:SS.Z [vmafdd][ERROR] ERROR! [VecsIpcGetEntryByAlias] is returning  [4312]
YYYY:MM:DDTHH:MM:SS.Z [vmafdd][ERROR] GetEntryByAlias (alias trustedCert_7-kms_fqdn_alias from store ID 13) returned > error: 4312 
YYYY:MM:DDTHH:MM:SS.Z [vmafdd][ERROR] [Error - 4312, lotus/vmafd/server/vmafd/vecsserviceapi.c:962]
YYYY:MM:DDTHH:MM:SS.Z [vmafdd][ERROR] ERROR! [VecsIpcGetEntryByAlias] is returning  [4312]
YYYY:MM:DDTHH:MM:SS.Z [vmafdd][ERROR] GetEntryByAlias (alias trustedCert_8-kms_fqdn_alias from store ID 13) returned > error: 4312 
YYYY:MM:DDTHH:MM:SS.Z [vmafdd][ERROR] [Error - 4312, lotus/vmafd/server/vmafd/vecsserviceapi.c:962]
YYYY:MM:DDTHH:MM:SS.Z [vmafdd][ERROR] ERROR! [VecsIpcGetEntryByAlias] is returning  [4312]
YYYY:MM:DDTHH:MM:SS.Z [vmafdd][ERROR] GetEntryByAlias (alias trustedCert_9-kms_fqdn_alias from store ID 13) returned > error: 4312

Environment

  • VMware vCenter Server 7.x / 8.x

  • VMware ESXi 7.x / 8.x

Cause

An SSL handshake failure occurs between the vCenter Server and the Key Management Server (KMS) because mapped trusted root certificates required for the KMIP connection are missing from the vCenter trusted store.

Resolution

Workaround 1: 

  1. Log in to the vSphere Client.

  2. Navigate to vCenter Server > Configure > Security > Key Providers.

  3. Select the affected Key Provider and record the configuration details (KMS address, port, and proxy settings).

  4. Remove the existing KMS from the Key Provider configuration.

  5. Re-add the KMS using the details recorded in Step 3.

  6. When prompted, establish a new trust relationship by clicking Trust to re-fetch and import the certificates from the KMS.

  7. Attempt to re-enable host encryption on the ESXi host. 

Workaround 2: 

  • Following the kb 313293 to manually add the current certificates of the KMS servers into the KMS trust store. 
Powered by Wolken Software