You may see following error when you attempt to renew ESXi certificate using vCenter web console (\ESXi\configure\certificate-renew). This error may also come when you connect ESXi host in vCenter that is either new OR disconnected previously.
On screen error stack
Error Stack --------------------- TypeError: Error #1009 at com.vmware.vsphere.client.views.notification::OperationNotifyViewMediator/onSetContext() at com.vmware.vsphere.client.views.notification::OperationNotifyViewMediator/set _209484338contextObject() at com.vmware.vsphere.client.views.notification::OperationNotifyViewMediator/set contextObject() at BindingImpl/assign() at BindingImpl$/bindProperty() at com.vmware.flexutil.impl.binding::BindingUtil$/bindProperty() at com.vmware.flexutil::BindingSet/bindProperty() at com.vmware.frinje::ContextPropagationManager/bindChildToParentProperty() at com.vmware.frinje::ContextPropagationManager/createBindings() at com.vmware.frinje::ContextPropagationManager/bindToParent() at com.vmware.frinje::ContextPropagationManager/bindParentalMediatorChainFor() at com.vmware.frinje::ContextPropagationManager/addTarget() at com.vmware.frinje::ContextPropagationManager/addRemoveObject() at com.vmware.frinje::ContextPropagationManager/onInjectableObjectAddedRemoved() at flash.events::EventDispatcher/dispatchEvent() at com.vmware.frinje::ObjectRegistry/onObjectAdded() at flash.events::EventDispatcher/dispatchEvent() at com.vmware.flexutil.events::QueuingEventDispatcher/dispatchPendingEvents() at com.vmware.flexutil::FunctionUtil$/invokeCallLater() at mx.core::UIComponent/callLaterDispatcher2() at mx.core::UIComponent/callLaterDispatcher()
In monitor tab, you may see following error:
A general system error occurred: Unable to get signed certificate for host: esxi_host name. Error: Start Time Error (70034)
You may see following lines in logs.
/var/log/vmware/VPXD/VPXD.log
ERROR task-4065 -- certificateManager -- vim.CertificateManager.refreshCertificates: vmodl.fault.SystemError: Result: (vmodl.fault.SystemError) { faultCause = (vmodl.MethodFault) null, faultMessage = ;unset;, reason = "Unable to get signed certificate forhost name 'esxi-2.ADdomain.org' ip '192.168.0.82': Error: Start Time Error (70034) "msg = ""} Args: Arg host: (ManagedObjectReference) ['vim.HostSystem:7fcbc462-dcb8-45a3-b91a-e3524e1a048a:host-18']
/var/log/vmware/vmcad/vmcad-syslog.log
2019-03-31T16:35:09.778456+00:00 info vmcad t@140096531592960: VMCACheckAccessKrb: Authenticated user vcsa1.ADdomain.org@vsphere.local 2019-03-31T16:35:09.790024+00:00 info vmcad t@140096531592960: Checking upn: cn=CAAdmins,cn=Builtin,dc=vsphere,dc=local against CA admin group: vcsa1.ADdomain.org@vsphere.local 2019-03-31T16:35:09.792511+00:00 info vmcad t@140096531592960: Checking user's group: cn=DCAdmins,cn=Builtin,dc=vsphere,dc=local against CA admin group: cn=CAAdmins,cn=Builtin,dc=vsphere,dc=local 2019-03-31T16:35:09.793240+00:00 info vmcad t@140096531592960: VMCASignedRequestPrivate: Invalid validity period requested 2019-03-31T16:35:09.793421+00:00 warning vmcad t@140096531592960: error code: 0x00011192 2019-03-31T16:35:09.793908+00:00 warning vmcad t@140096531592960: error code: 0x00000057 2019-03-31T16:35:09.794122+00:00 warning vmcad t@140096531592960: error code: 0x00011192
This issue happens because vCenter VMware Certificate Authority predates VMware vSphere ESXi certificates by 24 hours to avoid time synchronization issues. You can wait for 24 hours after replacing the VMware Certificate Authority certificate with an enterprise subordinate certificate for ESXi OR attempting to add additional hosts to vCenter Server. If there is need to renew certificate for ESXi immediately then change the vpxd.certmgmt.certs.minutesBefore to 10 (default 1440 minutes means 24 hours) from vCenter advanced settings.
Select Administration > vCenter Server Settings to display the vCenter Server Settings dialog box.
In the settings list, select Advanced Settings, search for vpxd.certmgmt.certs.minutesBefore
Modify the value to 10