vCenter 6.7 Update 3, Unable to add Host

UPDATED February 11, 2020. The blog has been update, with new information and the recommended solution.

I have had some customers with a problem that they can’ add ESXi hosts to a vCenter after upgrading to 6.7 Update 3/3a, and adding new ESXI 6.7 Update 3 hosts.

When trying to add the host to the vCenter they get this error:

A general system error occurred: Unable to push CA certificates and CRLs to host <hostname/IP> 

The problem is mentioned in the release notes, “You might be unable to add a self-signed certificate to the ESXi trust store and fail to add an ESXi host to the vCenter Server system” , but this is not an good description.

There are 2 solutions, one thats in the release notes and another is the workaround I have already published.

NOTE: This is fixed in later versions, so if you see the problem, please try to check NTP or time on the ESXi host certificate is not issued in the future.

This is a workaround: you can change an advanced setting on the vCenter; vCenter -> Configure -> Settings -> Advanced Settings:

 vpxd.certmgmt.mode = thumbprint 

This may also affect other operation on the ESXi hosts, I have not checked, but I think that it also means that you can not push new certifices to hosts, already added, and maybe also other things.

Note: This solution can create a new problem later see the blog.

The solution: in the VMware release notes is to change an advanced setting: “The fix adds the advanced option Config.HostAgent.ssl.keyStore.allowSelfSigned. If you already face the issue, set this option to TRUE to add a self-signed server certificate to the ESXi trust store”. They do forget to mention that you need to restart the management agents “services.sh restart” true the server console og SSH, or reboot the hosts.

To do this a little easier, i have made a script to do this, from PowerCLI, and also using plink.exe. This script is just a sample, that you can modify, for your use case.

$cmd = "services.sh restart"
$hostname = "esx01.domain.local"
$esx_Password = read-host "Input ESXi root password: "
$vmhost = connect-viserver -server $hostname -user root -password $esx_password
set-VMHostAdvancedConfiguration -Name "Config.HostAgent.ssl.keyStore.allowSelfSigned" -value true
$sshService = Get-VmHostService | Where { $_.Key -eq “TSM-SSH”}
Start-VMHostService -HostService $sshService -Confirm:$false
cmd /c  "echo y | C:\temp\Plink -ssh -pw $($esx_Password) root@$hostname $($cmd)"
disconnect-viserver $vmhost -Confirm:$false
$vmhost = connect-viserver -server $hostname -user root -password $esx_password
$sshService = Get-VmHostService | Where { $_.Key -eq “TSM-SSH”}
Stop-VMHostService -HostService $sshService -Confirm:$false
disconnect-viserver $vmhost -Confirm:$false

Hope this will help you.

The best solution would be, not to use self issued certificates.

Note: Check if time is correct on the ESXi hosts, this could give similar problems.