I recently came across this issue in my lab after upgrading my vCenter Server from version 4.1 to version 5 and figured I’d blog about it. In this case I have a couple of hosts with configuration issues shown in the screenshot below.
Its pretty clear in the message that there is a problem with the SSL thumbprint verification for this host so we can check some things by going to Administration -> vCenter Server Settings in vCenter. Next select SSL Settings and you should see something similar to the screenshot below.
The hosts that shows up in the list needs to be verified. We can just check the Verified checkbox and be done or better verify what the host actually shows for it’s SSL thumbprint. If your host is ESX, ssh to it’s console and type the command “openssl x509 -in /etc/vmware/ssl/rui.crt -fingerprint -sha1 -noout“.
If your using ESXi then you can log into the direct console and select View Support Information on the System Customization menu.
Once you have verified that the host thumbprint matches whats show in vCenter you can check the Verified checkbox and click OK.
In my situation I also ran the “Reconfigure for vSphere HA” for each of the hosts that had this issue so that the vSphere HA Agent could be updated.
I have not tried this yet…but was considering it for future upgrades.
When using an internal company CA signed cert, in addition to installing certs on the ESXi hosts and vCenter, I believe it would also be necessary to install the company CA and Intermediate company CA certificates onto the vCenter machine prior to adding hosts to the cluster. Otherwise, the vCenter server would be unable to validate the authority chain which signed those certificates. Just something worth consideration.