VxRail:ESXi 主机在实施自定义证书后进入“HA 错误状态”

Summary: 自定义 CA 证书将添加到 ESXi 主机,并且 vSphere High Availability (HA) 停止工作。

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms



自定义 CA 证书将添加到 ESXi 主机,并且 vSphere High Availability (HA) 停止工作。 
 

/var/log/fdm.log:
2017-05-18T11:24:28.018Z error fdm[3A608B70] [Originator@6876 sub=Message opID=SWI-787207f7] [AcceptorImpl::FinishSSLAccept] Error N7Vmacore3St read) creating ssl stream or doing handshake
2017-05-18T11:24:28.145Z verbose fdm[FFD7FB70] [Originator@6876 sub=Election opID=SWI-60b7acd9] CheckVersion: Version[2] Other host GT : 90 >
2017-05-18T11:24:28.145Z verbose fdm[FFD7FB70] [Originator@6876 sub=Cluster opID=SWI-60b7acd9] [ClusterPersistence::VersionChange] version[2]
2017-05-18T11:24:28.145Z info fdm[FFD7FB70] [Originator@6876 sub=Cluster opID=SWI-60b7acd9] [ClusterPersistence::VersionChange] fetching versi
2017-05-18T11:24:28.145Z verbose fdm[FFD7FB70] [Originator@6876 sub=Election opID=SWI-60b7acd9] CheckVersion: Version[0] Other host Less : 260
2017-05-18T11:24:28.153Z error fdm[FFF45B70] [Originator@6876 sub=Message opID=SWI-66926e8] [MsgConnectionImpl::FinishSSLConnect] Error N7Vmac
--> PeerThumbprint: 3D:7E:55:CD:CF:9E:B1:C2:04:41:F6:59:2D:05:BB:49:7F:A7:AA:F3
--> ExpectedThumbprint: FE:B6:B6:44:65:DC:B7:70:C4:DD:0B:EA:CF:A1:5E:8A:13:50:1D:CA
--> ExpectedPeerName: host-87
--> The remote host certificate has these problems:
--> * Host name does not match the subject name(s) in certificate.

 

Cause

这可能表示在群集上配置 VMware HA 时故障域管理器 (FDM) 出现问题:已成功选择并连接主要主机,但从属主机无法连接到它。

Resolution

1.检查主要主机上的fdm.log并复制指纹以备将来参考。
2.停止 vCenter Server 服务。
3.连接到 vCenter Server 数据库。
4.在进行任何更改之前,先备份 vCenter Server 数据库。
5.检查是否可以在VPX_HOST表中看到两个指纹(来自fdm.log)。
6.确保这两个值与位于 /etc/vmware/ssl/rui.crt
7 的 SSL 证书中的指纹相同。将更改提交到数据库。
8.启动 vCenter Server 服务,并通过 vSphere Client/Web Client 连接到该服务。
9.重新启用 HA

要查看所有主机的两个指纹,您可以使用以下查询:
 

select ID, DNS_NAME, IP_ADDRESS, EXPECTED_SSL_THUMBPRINT, HOST_SSL_THUMBPRINT from VPX_HOST;


它列出了类似于以下内容的输出:
 

VCDB=# select ID, DNS_NAME, IP_ADDRESS, EXPECTED_SSL_THUMBPRINT, HOST_SSL_THUMBPRINT from VPX_HOST;
 id  |       dns_name       | ip_address |                   expected_ssl_thumbprint                   |                     host_ssl_thumbprint


若要更新指纹,可以使用类似于以下内容的查询:
 

UPDATE VPX_HOST SET EXPECTED_SSL_THUMBPRINT=' DE:55:42:C7:81:2D:FA:D8:3C:73:4B:94:35:54:47:96:17:87:51:FF' where ID=37;

UPDATE VPX_HOST SET host_ssl_thumbprint=' DE:55:42:C7:81:2D:FA:D8:3C:73:4B:94:35:54:47:96:17:87:51:FF' where ID=37;


 

Additional Information

有关更多信息,请参阅: https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/6-5/vsphere-troubleshooting-6-5/troubleshooting-vcenter-server-and-the-vsphere-web-client/troubleshooting-vcenter-server-certificates/vsphere-ha-and-custom-ssl-certificates.html此超链接会将您带往 Dell Technologies 之外的网站。

Affected Products

VxRail Software

Products

VxRail Appliance Family, VxRail Software
Article Properties
Article Number: 000082193
Article Type: Solution
Last Modified: 11 Feb 2025
Version:  5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.