Unable to add ESXi host to vCenter due to error "Certificate unable to verify"
search cancel

Unable to add ESXi host to vCenter due to error "Certificate unable to verify"

book

Article ID: 389767

calendar_today

Updated On:

Products

VMware vSphere ESXi VMware vCenter Server

Issue/Introduction

If the certificate on ESXi can't be verified by vCenter, it would fail to add ESXi to vCenter with such error message at task bar.

 A general system error occurred: Failed to verify certificate on <ESXi-FQDN-or-IP>. When ESXi Certificate Mode is set to custom it is mandatory to install valid certificate on ESXi host before adding the host to VC

This article is applicable when custom CA certificate isn't required on ESXi.

Cause

Certificate chain broken.

 

Resolution

  • Enable maintenance mode on ESXi host.

To perform it on ESXi Host Client, see Place an ESXi Host in Maintenance Mode in the VMware Host Client
To perform it on vSphere Client, see Place a Host in Maintenance Mode
To perform it by Command Line, see Place a Host in Maintenance Mode using esxcli command

  • Back up the SSL certificate being used. 

mv /etc/vmware/ssl/rui.crt /etc/vmware/ssl/rui.crt.bak
mv /etc/vmware/ssl/rui.key /etc/vmware/ssl/rui.key.bak

  • Re-generate SSL certificate.

/sbin/generate-certificates

  • Restart services to get new SSL certificate to take effect.

services.sh restart

  • Now the certificate is reset to ESXi self-signed. Open the browser and visit ESXi Host Client >> "Host" >> "Manage" >> "Security & users" >> "Certificates" to verify the change.
  • Exit maintenance mode on ESXi host.

Additional Information

If you need to revert to the previous SSL certificate, follow the steps below:

  • Enable maintenance mode on ESXi host.
  • Overwrite new SSL certificate with previous one.

mv rui.crt.bak rui.crt
mv rui.key.bak rui.key

  • Restart services to get previous SSL certificate to take effect.

services.sh restart

  • Now the certificate is reset to ESXi self-signed. Open the browser and visit ESXi Host Client >> "Host" >> "Manage" >> "Security & users" >> "Certificates" to verify the change.
  • Exit maintenance mode on ESXi host.