vCenter 6.7 Update 3, Unable to add Host

UPDATED February 11, 2020. The blog has been update, with new information and the recommended solution.

I have had some customers with a problem that they can’ add ESXi hosts to a vCenter after upgrading to 6.7 Update 3/3a, and adding new ESXI 6.7 Update 3 hosts.

When trying to add the host to the vCenter they get this error:

A general system error occurred: Unable to push CA certificates and CRLs to host <hostname/IP> 

The problem is mentioned in the release notes, “You might be unable to add a self-signed certificate to the ESXi trust store and fail to add an ESXi host to the vCenter Server system” , but this is not an good description.

There are 2 solutions, one thats in the release notes and another is the workaround I have already published.

This is a workaround: you can change an advanced setting on the vCenter; vCenter -> Configure -> Settings -> Advanced Settings:

 vpxd.certmgmt.mode = thumbprint 

This may also affect other operation on the ESXi hosts, I have not checked, but I think that it also means that you can not push new certifices to hosts, already added, and maybe also other things.

Note: This solution can create a new problem later see the blog.

The solution: in the VMware release notes is to change an advanced setting: “The fix adds the advanced option Config.HostAgent.ssl.keyStore.allowSelfSigned. If you already face the issue, set this option to TRUE to add a self-signed server certificate to the ESXi trust store”. They do forget to mention that you need to restart the management agents “ restart” true the server console og SSH, or reboot the hosts.

To do this a little easier, i have made a script to do this, from PowerCLI, and also using plink.exe. This script is just a sample, that you can modify, for your use case.

$cmd = " restart"
$hostname = "esx01.domain.local"
$esx_Password = read-host "Input ESXi root password: "
$vmhost = connect-viserver -server $hostname -user root -password $esx_password
set-VMHostAdvancedConfiguration -Name "Config.HostAgent.ssl.keyStore.allowSelfSigned" -value true
$sshService = Get-VmHostService | Where { $_.Key -eq “TSM-SSH”}
Start-VMHostService -HostService $sshService -Confirm:$false
cmd /c  "echo y | C:\temp\Plink -ssh -pw $($esx_Password) root@$hostname $($cmd)"
disconnect-viserver $vmhost -Confirm:$false
$vmhost = connect-viserver -server $hostname -user root -password $esx_password
$sshService = Get-VmHostService | Where { $_.Key -eq “TSM-SSH”}
Stop-VMHostService -HostService $sshService -Confirm:$false
disconnect-viserver $vmhost -Confirm:$false

Hope this will help you.

The best solution would be, not to use self issued certificates.

Note: Check if time is correct on the ESXi hosts, this could give similar problems.

Please share this page if you find it usefull:

10 thoughts on “vCenter 6.7 Update 3, Unable to add Host

  1. I had the same issue two weeks ago with a (upgraded) vCenter using the vmca and a completely new host.
    With a new installed vCenter the same host could be added without problems.

      1. I don’t know if the customer made any changes to the vmca, but that would be unlikely. The vcsa has been upgraded from 6.5 U1 to 6.7 U3 (while not migrating events/performance data).

        Then I wanted to add three completely freshly installed hosts. All of them failed with that error so I tried a lot with the first one. For example a complete re-generation of the self signed host certificate and also the new extended option Config.HostAgent.ssl.keyStore.allowSelfSigned=true. Without success.

        Also tried regeneration of the vmca and replacement of all certificates without success.

        I thought this would be a pretty primitive bug and quickly set up a lab with a new vCenter and a host. Adding here worked fine.
        At first I was wondering if it could be related to the HPE custom image, but then it worked fine with a new vCenter in production (with default host and vCenter settings).

  2. Guys before doing all those configurations make sure that your host is running the right date and time. (use NTP if you can)
    I’ve fixed this issue just by running NTP… after hours of troubleshooting….

  3. Hello Amaury

    Thank you for your hint. After configuring ntp on the host I cloud join the new esxi server without any problems.

    Regards Lorenz

  4. Just want to say thanks for the part about Config.HostAgent.ssl.keyStore.allowSelfSigned. i follow the vmware article and still doesn’t work, Run this in ssh “ restart” and it works!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.