Unable to add ESXi host to vCenter due to error "Certificate unable to verify"
Article ID: 389767
Updated On:
Products
Issue/Introduction
If the certificate on ESXi can't be verified by vCenter, it would fail to add ESXi to vCenter with such error message at task bar.
A general system error occurred: Failed to verify certificate on <ESXi-FQDN-or-IP>. When ESXi Certificate Mode is set to custom it is mandatory to install valid certificate on ESXi host before adding the host to VC
This article is applicable when custom CA certificate isn't required on ESXi.
Cause
Certificate chain broken.
Resolution
- Enable maintenance mode on ESXi host.
To perform it on ESXi Host Client, see Place an ESXi Host in Maintenance Mode in the VMware Host Client
To perform it on vSphere Client, see Place a Host in Maintenance Mode
To perform it by Command Line, see Place a Host in Maintenance Mode using esxcli command
- Back up the SSL certificate being used.
mv /etc/vmware/ssl/rui.crt /etc/vmware/ssl/rui.crt.bakmv /etc/vmware/ssl/rui.key /etc/vmware/ssl/rui.key.bak
- Re-generate SSL certificate.
/sbin/generate-certificates
- Restart services to get new SSL certificate to take effect.
services.sh restart
- Now the certificate is reset to ESXi self-signed. Open the browser and visit
ESXi Host Client >> "Host" >> "Manage" >> "Security & users" >> "Certificates"to verify the change. - Exit maintenance mode on ESXi host.
Additional Information
If you need to revert to the previous SSL certificate, follow the steps below:
- Enable maintenance mode on ESXi host.
- Overwrite new SSL certificate with previous one.
mv rui.crt.bak rui.crtmv rui.key.bak rui.key
- Restart services to get previous SSL certificate to take effect.
services.sh restart
- Now the certificate is reset to ESXi self-signed. Open the browser and visit
ESXi Host Client >> "Host" >> "Manage" >> "Security & users" >> "Certificates"to verify the change. - Exit maintenance mode on ESXi host.
Feedback
