Thumbprint error when running ESXCLI command as a vCLI command
Article ID: 315409
Updated On:
Products
VMware vCenter Server
VMware vSphere ESXi
Issue/Introduction
You install vCLI on a supported Windows or Linux system, and run an ESXCLI command against an ESXi host or against a vCenter Server system. An error like the following results:
Connect to w2-server42.mydomain.com failed. Server SHA-1 thumbprint 5D:01:06:63:55:9D:DF:FE:38:81:6E:2C:FA:71:BC:63:82:C5:16:51 <not trusted>
The error occurs because ESXCLI in vSphere 6.0 is more secure than in earlier versions of vSphere and requires a trust relationship between the system on which you run an ESXCLI vCLI command and the target vCenter Server system or ESXi host.
Environment
VMware vSphere ESXi 6.0
VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 6.0.x
Resolution
You can establish the trust relationship between the client machine on which you are running the vCLI command and the server specified in the --server option (ESXi host or vCenter Server system) in a number of ways.
Downloading and Installing the vCenter Server Certificate
If you intend to target a vCenter Server system, and specify the ESXi host with the --vihost option, you use a Web Browser download the vCenter Server certificate from a Web Browser and install it on the machine from which you are running ESXCLI. Use the process described in How to download the vCenter Server root certificate to avoid Web Browser certificate warnings.
Using the --cacertsfile Option
Instead of installing the vCenter Server certificate, you can specify the certificate on the command line with the --cacertsfile option or the VI_CACERTFILE variable. You can also use this option if you target an ESXi host directly.
Using the --thumbprint Option
You can supply the thumbprint for the target server (ESXi host or vCenter Server system) on the command line in the --thumbprint option (VI_THUMBPRINT variable).
When you run a command, ESXCLI checks first whether a certificate file is available. If not, ESXCLI checks whether a thumbprint of the target server is available. If not, an error like the following results:
Connect to w2-server42.mydomain.com failed. Server SHA-1 thumbprint 5D:01:06:63:55:9D:DF:FE:38:81:6E:2C:FA:71:BC:63:82:C5:16:51 <not trusted>
To establish the trust relationship, you can run the command with the thumbprint that is returned in the error message or add the thumbprint to the VI_THUMBPRINT variable. For example, using the thumbprint of the ESXi host that returned the error above, you can run the following command:
esxcli --server myESXi --username user1 --password 'my_password' --thumbprint 5D:01:06:63:55:9D:DF:FE:38:81:6E:2C:FA:71:BC:63:82:C5:16:51 storage nfs list
Using the Credential Store
Your vCLI installation includes a credential store. You can manage the credential store with the credstore-admin utility, which is located in the /Perl/apps/general directory inside the VMware vSphere CLI directory.
Note: Updating the credential store is a two-step process. First you add the user and password for the target server, and then you add the thumbprint for the target server, as follows:
- Add the user and password for the target ESXi host to the local credential store.
credstore_admin.pl add --server <esxi_HOSTNAME_OR_IP> --username <user> --password <pwd> - Add the thumbprint, which was returned in the error message when you attempted to connect to the host.
credstore_admin.pl add --server <target_server> --thumbprint <thumbprint>
The user specified in Step 1 can now run vCLI commands against the target server without authentication if the credential store file is in the default location. - (Optional) If the credential store is in a non-default location, you have to specify the location on the command line with the --credstore option.
Additional Information
Feedback
Yes
No
Powered by
