VxRail:ESXi 主機在實作自訂憑證後會進入「HA 錯誤狀態」

Summary: 自訂 CA 憑證會新增至 ESXi 主機,且 vSphere High Availability (HA) 會停止運作。

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms



自訂 CA 憑證會新增至 ESXi 主機,且 vSphere High Availability (HA) 會停止運作。 
 

/var/log/fdm.log:
2017-05-18T11:24:28.018Z error fdm[3A608B70] [Originator@6876 sub=Message opID=SWI-787207f7] [AcceptorImpl::FinishSSLAccept] Error N7Vmacore3St read) creating ssl stream or doing handshake
2017-05-18T11:24:28.145Z verbose fdm[FFD7FB70] [Originator@6876 sub=Election opID=SWI-60b7acd9] CheckVersion: Version[2] Other host GT : 90 >
2017-05-18T11:24:28.145Z verbose fdm[FFD7FB70] [Originator@6876 sub=Cluster opID=SWI-60b7acd9] [ClusterPersistence::VersionChange] version[2]
2017-05-18T11:24:28.145Z info fdm[FFD7FB70] [Originator@6876 sub=Cluster opID=SWI-60b7acd9] [ClusterPersistence::VersionChange] fetching versi
2017-05-18T11:24:28.145Z verbose fdm[FFD7FB70] [Originator@6876 sub=Election opID=SWI-60b7acd9] CheckVersion: Version[0] Other host Less : 260
2017-05-18T11:24:28.153Z error fdm[FFF45B70] [Originator@6876 sub=Message opID=SWI-66926e8] [MsgConnectionImpl::FinishSSLConnect] Error N7Vmac
--> PeerThumbprint: 3D:7E:55:CD:CF:9E:B1:C2:04:41:F6:59:2D:05:BB:49:7F:A7:AA:F3
--> ExpectedThumbprint: FE:B6:B6:44:65:DC:B7:70:C4:DD:0B:EA:CF:A1:5E:8A:13:50:1D:CA
--> ExpectedPeerName: host-87
--> The remote host certificate has these problems:
--> * Host name does not match the subject name(s) in certificate.

 

Cause

這可能表示在叢集上設定 VMware HA 時,容錯網域管理員 (FDM) 發生問題失敗:主要主機已成功選取並連線,但從屬主機無法連線至該主機。

Resolution

1.檢查主要主機上的fdm.log並複製指紋以供將來參考。
2.停止 vCenter Server 服務。
3.連線至 vCenter Server 資料庫。
4.在進行任何變更之前,請先備份 vCenter Server 資料庫。
5.檢查您是否能在VPX_HOST表中看到兩個指紋(來自fdm.log)。
6.請確定兩個值都與位於 /etc/vmware/ssl/rui.crt
7 中 SSL 憑證的指紋相同。將更改提交到資料庫。
8.啟動 vCenter Server 服務,並使用 vSphere 用戶端/Web 用戶端連線至該服務。
9.重新啟用 HA

若要查看所有主機的兩個指紋,您可以使用以下查詢:
 

select ID, DNS_NAME, IP_ADDRESS, EXPECTED_SSL_THUMBPRINT, HOST_SSL_THUMBPRINT from VPX_HOST;


它會列出類似以下內容的輸出:
 

VCDB=# select ID, DNS_NAME, IP_ADDRESS, EXPECTED_SSL_THUMBPRINT, HOST_SSL_THUMBPRINT from VPX_HOST;
 id  |       dns_name       | ip_address |                   expected_ssl_thumbprint                   |                     host_ssl_thumbprint


若要更新指紋,可以使用類似於以下內容的查詢:
 

UPDATE VPX_HOST SET EXPECTED_SSL_THUMBPRINT=' DE:55:42:C7:81:2D:FA:D8:3C:73:4B:94:35:54:47:96:17:87:51:FF' where ID=37;

UPDATE VPX_HOST SET host_ssl_thumbprint=' DE:55:42:C7:81:2D:FA:D8:3C:73:4B:94:35:54:47:96:17:87:51:FF' where ID=37;


 

Additional Information

如需更多資訊,請參閱: https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/6-5/vsphere-troubleshooting-6-5/troubleshooting-vcenter-server-and-the-vsphere-web-client/troubleshooting-vcenter-server-certificates/vsphere-ha-and-custom-ssl-certificates.html此超連結會帶您前往 Dell Technologies 以外的網站。

Affected Products

VxRail Software

Products

VxRail Appliance Family, VxRail Software
Article Properties
Article Number: 000082193
Article Type: Solution
Last Modified: 11 Feb 2025
Version:  5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.