Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
HCX Service Mesh configuration workflow fails deploy Mobility Agent (MA) virtual host with error message: applianceLifecycyle job failed | intercocnnectConfigMA failed |error Adding Mobility Agent Host failed |SSL Exception. From the vCenter Monitor Tasks, the HCX attempt to deploy MA host failing at ~80% This issue will not impact the deployment of HCX Interconnect (IX) and Network Extension (NE) appliances. vCenter vpxd logs will show the following error message: ERROR c.v.v.h.s.i.InterconnectConfigureMA- Task task-124498 error out, error : A general system error occurred: SSL Exception: Verification parameters: PeerThumbprint: A3:04:3B:CC:3D:1B:18:5B:DB:9B:E9:B2:57:D6:E4:88:39:4E:C2:B1 ExpectedThumbprint: ExpectedPeerName: 10.1.1.1 The remote host certificate has these problems: * Host name does not match the subject name(s) in certificate. * unable to get local issuer certificate com.vmware.vim.binding.vmodl.fault.SystemError: A general system error occurred: SSL Exception: Verification parameters: PeerThumbprint: A3:04:3B:CC:3D:1B:18:5B:DB:9B:E9:B2:57:D6:E4:88:39:4E:C2:B1 ExpectedThumbprint: ExpectedPeerName: 10.1.1.1 The remote host certificate has these problems: * Host name does not match the subject name(s) in certificate.
Identify a known limitation and provide an alternative method for HCX deployment.
The issue will occur if vCenter is configured with Certificate Management policy set to "Custom" mode "vpxd.certmgmt.mode" HCX MA virtual host must be added by HCX Manger into vCenter but since the IX appliance uses self-signed certificate, vCenter will reject the addition of the MA into the cluster.
The failure to deploy the MA will disable HCX Cold, vMotion, and RAV migration services.VR Bulk migrations and DR Protections do not require MA.There is no risk in implementing the recommended workaround as there is no impact to Network Extension services.
HCX MA deployment in a vCenter environment with Certificate Management set to "Custom" mode is NOT supported.Alternatively the recommended workaround can be implemented and that has been thoroughly verified, yet it has some restrictions for persistency.Support for the the implementation of the workaround is provided as a best effort.
The following procedure will replace the IX appliance certificate and key.It will have to be performed for each Interconnect appliance that is deployed in a vCenter with 'custom' certificate management. SSH into the HCX Manager as 'admin'Enable CCLI modeLIST the appliances and GO <appliance_ID> into the IX applianceSSH to drop into the linux promptChange directory to /etc/vmware/sslBackup certificate files: mv rui.crt rui.crt.bak mv rui.key rui.key.bak Replace the files with the custom CA cert and keyReboot the IX appliance or restart the MA and authentication services stc restart mobilityagent stc restart authdlauncher From the HCX Interconnect UI, re-sync the Service Mesh to trigger the MA deployment IMPORTANT: This workaround will not be persistent if the Service Mesh is re-sync'ed or after service updates. The same procedure will have to be performed to re-deploy the MA again.The following considerations should be taken into account: As this is a custom CA cert to be trusted by vCenter, it must be generated in the same manner that the existing ESXi host certificates have been generated for this environment.Ensure the 'CN' and 'SAN' fields of the certificate contain the IP address that is intended to be used for the management IP of the IX appliance.If the certificate generated by the CA is provided as a cert.pem file, make sure the certificate chain (including target, intermediate, and root certificates) and private key aspects are separated into the rui.cert and rui.key files.
Refer to the following VMware KB articles for more information on how to request and configure CA signed certificates for ESXi hosts KB 2113926KB 2015387