Renewing a Host Certificate doesn’t push full certificate chain to the host

When we renew ESXi certificate using vCenter and vCenter (OR PSC) is configured as subordinate CA then certificate chain missing on certificate given to ESXi.

Renew_esxi.jpg

After renew you may see ESXi certificate isn’t trusted and chain is missing.

esx3_cert.jpg

This issue is seen with vSphere 6.7 GA & U1 and fixed in 6.7 U2, details are available in KB. 

To workaround the issue, follow the steps.

Take SSH to ESXi server.
Make a copy of config.xml

cp /etc/vmware/rhttpproxy/config.xml /etc/vmware/rhttpproxy/Backup_config.xml

Modify following line

From
<!– <keyStoreFile>/etc/vmware/ssl/castore.pem</keyStoreFile> –>

To
<keyStoreFile>/etc/vmware/ssl/castore.pem</keyStoreFile>

Then reboot ESXi server using vCenter OR ESXi host access. Post reboot if you renew the ESXi certificate then chain should come properly. like e.g. below.

esx-1-cert.jpg

Advertisements