Adding an ESXi host to vCenter Server after upgrade to ESXi 6.7 Update 3 and later versions fail
search cancel

Adding an ESXi host to vCenter Server after upgrade to ESXi 6.7 Update 3 and later versions fail

book

Article ID: 321019

calendar_today

Updated On:

Products

VMware vSphere ESXi VMware vSphere ESXi 6.0 VMware vSphere ESXi 7.0

Issue/Introduction

Symptoms:
  • Adding an ESXi host with a self-signed non CA certificate to the vCenter Server fails.
  • The connection to any VASA such as 3PAR & Nimble, Trident, PowerMax, Unity, VMAX, ScaleIP fails.
  • Adding VVOL fails.


Environment

  • VMware vSphere ESXi 6.7
  • VMware vSphere ESXi 7.0

Cause

This issue occurs as the ESXi trust store contains a list of Certificate Authority (CA) certificates that are used to build the chain of trust when an ESXi host is a client in a TLS channel communication.

The certificates in the trust store must be with a CA bit set: X509v3 Basic Constraints: CA: TRUE. If a certificate without this bit set is passed to the trust store, for example, a self-signed certificate, the certificate is rejected. As a result, adding an ESXi host to the vCenter Server may fail.

Resolution

This is a known issue affecting ESXi 6.7.x and later versions.

Currently, there is no resolution.

Workaround:
To work around this issue, follow either one of the workarounds:
  • Add Config.HostAgent.ssl.keyStore.allowSelfSigned = true into the ESXi host advanced option.
  • Changing the VVOL server to using a self-signed certificate that includes the CA:True flag.