vCenter 6.7 Update 3, Unable to add Host

I have had some customers with a problem that they can’ add ESXi hosts to a vCenter after upgrading to 6.7 Update 3/3a, I have not check 3b.

When trying to add the host to the vCenter they get this error:

A general system error occurred: Unable to push CA certificates and CRLs to host <hostname/IP> 

All the customer that I have see this problem at, has all changed away from the default Certificte i the vCenter, ether they are using certificate from a CA authority og just change them on the vCenter. But that might be a coincidence, it might also be because the vCenter i upgraded.

Something has changed with the vCenter in 6.7 update 3, regarding have it creates the ESXi host certificate, or pushes certificates out to the hosts.

The solution is to change an advanced setting on the vCenter; vCenter -> Configure -> Settings -> Advanced Settings:

 vpxd.certmgmt.mode = thumbprint 

This may also affect other operation on the ESXi hosts, I have not checked, but I think that it also means that you can not push new certifices to hosts, already added, and maybe also other things.

I hop that VMware will create an KB on this, and even better fix this issue.

Please share this page if you find it usefull:

3 thoughts on “vCenter 6.7 Update 3, Unable to add Host

  1. I had the same issue two weeks ago with a (upgraded) vCenter using the vmca and a completely new host.
    With a new installed vCenter the same host could be added without problems.

      1. I don’t know if the customer made any changes to the vmca, but that would be unlikely. The vcsa has been upgraded from 6.5 U1 to 6.7 U3 (while not migrating events/performance data).

        Then I wanted to add three completely freshly installed hosts. All of them failed with that error so I tried a lot with the first one. For example a complete re-generation of the self signed host certificate and also the new extended option Config.HostAgent.ssl.keyStore.allowSelfSigned=true. Without success.

        Also tried regeneration of the vmca and replacement of all certificates without success.

        I thought this would be a pretty primitive bug and quickly set up a lab with a new vCenter and a host. Adding here worked fine.
        At first I was wondering if it could be related to the HPE custom image, but then it worked fine with a new vCenter in production (with default host and vCenter settings).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.