You may see following error when you attempt to renew ESXi certificate using vCenter web console (\ESXi\configure\certificate-renew). This error may also come when you connect ESXi host in vCenter that is either new OR disconnected previously.

On screen error stack

Error Stack
---------------------
TypeError: Error #1009
	at com.vmware.vsphere.client.views.notification::OperationNotifyViewMediator/onSetContext()
	at com.vmware.vsphere.client.views.notification::OperationNotifyViewMediator/set _209484338contextObject()
	at com.vmware.vsphere.client.views.notification::OperationNotifyViewMediator/set contextObject()
	at BindingImpl/assign()
	at BindingImpl$/bindProperty()
	at com.vmware.flexutil.impl.binding::BindingUtil$/bindProperty()
	at com.vmware.flexutil::BindingSet/bindProperty()
	at com.vmware.frinje::ContextPropagationManager/bindChildToParentProperty()
	at com.vmware.frinje::ContextPropagationManager/createBindings()
	at com.vmware.frinje::ContextPropagationManager/bindToParent()
	at com.vmware.frinje::ContextPropagationManager/bindParentalMediatorChainFor()
	at com.vmware.frinje::ContextPropagationManager/addTarget()
	at com.vmware.frinje::ContextPropagationManager/addRemoveObject()
	at com.vmware.frinje::ContextPropagationManager/onInjectableObjectAddedRemoved()
	at flash.events::EventDispatcher/dispatchEvent()
	at com.vmware.frinje::ObjectRegistry/onObjectAdded()
	at flash.events::EventDispatcher/dispatchEvent()
	at com.vmware.flexutil.events::QueuingEventDispatcher/dispatchPendingEvents()
	at com.vmware.flexutil::FunctionUtil$/invokeCallLater()
	at mx.core::UIComponent/callLaterDispatcher2()
	at mx.core::UIComponent/callLaterDispatcher()

In monitor tab, you may see following error:

A general system error occurred: Unable to get signed certificate for host: esxi_host name. Error: Start Time Error (70034)

You may see following lines in logs.

/var/log/vmware/VPXD/VPXD.log

ERROR task-4065 -- certificateManager -- vim.CertificateManager.refreshCertificates: vmodl.fault.SystemError:
Result:
(vmodl.fault.SystemError) {
faultCause = (vmodl.MethodFault) null,
faultMessage = ;unset;,
reason = "Unable to get signed certificate forhost name 'esxi-2.ADdomain.org' ip '192.168.0.82': Error: Start Time Error (70034)
"msg = ""}
Args:
Arg host:
(ManagedObjectReference) ['vim.HostSystem:7fcbc462-dcb8-45a3-b91a-e3524e1a048a:host-18']

/var/log/vmware/vmcad/vmcad-syslog.log

2019-03-31T16:35:09.778456+00:00 info vmcad  t@140096531592960: VMCACheckAccessKrb: Authenticated user vcsa1.ADdomain.org@vsphere.local
2019-03-31T16:35:09.790024+00:00 info vmcad  t@140096531592960: Checking upn: cn=CAAdmins,cn=Builtin,dc=vsphere,dc=local against CA admin group: vcsa1.ADdomain.org@vsphere.local
2019-03-31T16:35:09.792511+00:00 info vmcad  t@140096531592960: Checking user's group: cn=DCAdmins,cn=Builtin,dc=vsphere,dc=local against CA admin group: cn=CAAdmins,cn=Builtin,dc=vsphere,dc=local
2019-03-31T16:35:09.793240+00:00 info vmcad  t@140096531592960: VMCASignedRequestPrivate: Invalid validity period requested
2019-03-31T16:35:09.793421+00:00 warning vmcad  t@140096531592960: error code: 0x00011192
2019-03-31T16:35:09.793908+00:00 warning vmcad  t@140096531592960: error code: 0x00000057
2019-03-31T16:35:09.794122+00:00 warning vmcad  t@140096531592960: error code: 0x00011192

This issue happens because vCenter VMware Certificate Authority predates VMware vSphere ESXi certificates by 24 hours to avoid time synchronization issues. You can wait for 24 hours after replacing the VMware Certificate Authority certificate with an enterprise subordinate certificate for ESXi OR attempting to add additional hosts to vCenter Server. If there is need to renew certificate for ESXi immediately then change the vpxd.certmgmt.certs.minutesBefore to 10 (default 1440 minutes means 24 hours) from vCenter advanced settings.

Select Administration > vCenter Server Settings to display the vCenter Server Settings dialog box.

In the settings list, select Advanced Settings, search for vpxd.certmgmt.certs.minutesBefore

Modify the value to 10

#1009