Unable to add ESXi host to vCenter Server due to error "Certificate unable to verify"
search cancel

Unable to add ESXi host to vCenter Server due to error "Certificate unable to verify"

book

Article ID: 389767

calendar_today

Updated On:

Products

VMware vSphere ESXi VMware vCenter Server

Issue/Introduction

An error in the task bar indicates that users are unable to add an ESXi host to vCenter Server due to an unverifiable ESXi certificate.

 A general system error occurred: Failed to verify certificate on <ESXi-FQDN-or-IP>. When ESXi Certificate Mode is set to custom it is mandatory to install valid certificate on ESXi host before adding the host to VC

This article is applicable when custom CA certificate isn't required on ESXi.

Cause

The underlying cause is an incomplete or improperly configured certificate trust chain.

Resolution

1. Enable maintenance mode on ESXi host.

To perform it on ESXi Host Client, see Place an ESXi Host in Maintenance Mode in the VMware Host Client
To perform it on vSphere Client, see Place a Host in Maintenance Mode
To perform it by Command Line, see Place a Host in Maintenance Mode using esxcli command

2. Verify the vCenter Server is configured with the correct certificate mode.

Verify the certificate mode on the vCenter Server by checking the vpxd.certmgmt.mode setting. Ensure this value matches the certificate type used by the ESXi hosts (VMCA, thumbprint, or custom CA). If there is a mismatch, the hosts will fail to connect. To locate this setting, refer to the following technical documentation: Change the Certificate Mode. 

3. Back up the SSL certificate being used. 

mv /etc/vmware/ssl/rui.crt /etc/vmware/ssl/rui.crt.bak
mv /etc/vmware/ssl/rui.key /etc/vmware/ssl/rui.key.bak

4. Re-generate SSL certificate.

/sbin/generate-certificates

5. Restart services to get new SSL certificate to take effect.

services.sh restart

6. After resetting the certificate to ESXi self-signed, verify the change by navigating to the ESXi Host Client and selecting Host > Manage > Security & users > Certificates.

7. Exit maintenance mode on ESXi host.

Additional Information

To revert to the previous SSL certificate, follow these steps:

  • Enable maintenance mode on ESXi host.

  • Overwrite new SSL certificate with previous one.

mv rui.crt.bak rui.crt
mv rui.key.bak rui.key

  • Restart services to get previous SSL certificate to take effect.

services.sh restart

  • Verify the certificate has been reset to ESXi self-signed by navigating to the ESXi Host Client and checking Host > Manage > Security & users > Certificates.

  • Exit maintenance mode on ESXi host.
Powered by Wolken Software