Error: "Operation not Permitted" after upgrade to 8.x and enabling NIST profile when booting ESXi host with Auto Deploy
search cancel

Error: "Operation not Permitted" after upgrade to 8.x and enabling NIST profile when booting ESXi host with Auto Deploy

book

Article ID: 392858

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Attempting to boot ESXi host with Auto Deploy fails with error similar to "Operation not permitted".
  • vCenter has NIST_2024 TLS profile enabled.

Environment

vCenter Server 8.0.3.x

ESXi 8.x w/ Auto Deploy

Cause

During the TLS handshake when the HTTP GET request for /vmw/rbd/tramp is sent, iPXE (vCenter 8.0.3*) sends the list of available ciphers:

  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA

None of these ciphers are present in the NIST_2024 profile, so the handshake fails. See vSphere TLS Configuration

Note: Older versions of vCenter iPXE support even less ciphers, example above is for 8.0.3+.

Resolution

Change the TLS Configuration from NIST_2024 to COMPATIBLE on vCenter. See Manage the TLS Profile of a vCenter Server Host

Note: After the host(s) are booted via Auto Deploy, it is possible to then enable NIST_2024, however each time the host is rebooted the COMPATIBLE profile would need to be set.

Additional Information

Powered by Wolken Software