"Signed certificate could not be retrieved due to a start time error" when adding ESXi host to vCenter Server 6.0
Article ID: 322260
Updated On:
Products
VMware vCenter Server
VMware vSphere ESXi
Issue/Introduction
When you replace the VMware Certificate Authority root certificate with an enterprise subordinate certificate, you experience these symptoms:
- The certificate has been valid for less than 24 hours
- You are unable to join a VMware vSphere ESXi host to VMware vCenter Server
- You see the error:
A general system error occurred: Unable to get signed certificate for host: esxi_hostname. Error: Start Time Error (70034)
Environment
VMware vCenter Server Appliance 6.0.x
VMware vSphere ESXi 6.0
VMware vSphere ESXi 5.0
VMware vSphere ESXi 5.5
VMware vCenter Server 6.0.x
VMware vSphere ESXi 5.1
VMware vSphere ESXi 6.0
VMware vSphere ESXi 5.0
VMware vSphere ESXi 5.5
VMware vCenter Server 6.0.x
VMware vSphere ESXi 5.1
Resolution
When adding a host to VMware vCenter Server, the VMware Certificate Authority pre-dates VMware vSphere ESXi certificates by 24 hours to avoid time synchronization issues.
For example :
For example :
- Current time on vCenter is 10-Jan-2020 10:00
- VMCA Root Cert is Valid from 10-Jan-2020 07:00
- While trying to add the ESXi host to the vCenter Server, CSR will be generated with Start Date as "Current Date - 1 day" which means 09-Jan-2020 10:00:00
- Here, VMCA is valid from 10-Jan-2020 07:00 and it got a request to Sign Certificate for a previous date 09-Jan-2020 10:00 which is not valid and operation fails
- In this situation, advanced setting "vpxd.certmgmt.certs.minutesBefore" helps to customize the start date of ESXi certificate instead of default 24 hours
This behavior is changed in VMware vCenter 6.0 Update 2 and later with the advanced setting vpxd.certmgmt.certs.minutesBefore, available at VMware Downloads. For more information, see the VMware vCenter Server 6.0 Update 2 release notes.
To change the vpxd.certmgmt.certs.minutesBefore to 10:
- Connect to the vCenter Server using the vSphere Client and administrator credentials.
- Select Administration > vCenter Server Settings to display the vCenter Server Settings dialog box.
- In the settings list, select Advanced Settings.
- In the Key field, type a key.
- In the Key field, enter this key:
vpxd.certmgmt.certs.minutesBefore
- In the Value field, enter:
10
- Click Add.
- Click OK.
To work around this issue if you do not want to upgrade, use one of these options:
- Wait 24 hours after replacing the VMware Certificate Authority certificate with an enterprise subordinate certificate before attempting to add additional hosts to vCenter Server.
- Join hosts to VMware vCenter Server prior to replacing the VMware Certificate Authority certificate with an enterprise subordinate certificate.
Note: VMware vSphere ESXi hosts added to VMware vCenter Server prior to replacing the VMware Certificate Authority certificate are not affected.
Additional Information
For translated versions of this article, see:- 日本語: エラー「開始時間のエラーにより署名された証明書を取得できませんでした」により ESXi 6.0 ホストを vCenter Server 6.0 に追加できない (2127141)
- 简体中文: 无法将 ESXi 6.0 主机添加到 vCenter Server 6.0 并显示“由于开始时间错误无法检索签名证书”错误 (2127133)
- Deutsch: Fehlermeldung beim Hinzufügen eines VMware vSphere ESXi-Hosts zu VMware vCenter Server 6.0: „Signiertes Zertifikat konnte aufgrund eines Startzeitfehlers nicht abgerufen werden“ (2144664)
Feedback
Yes
No
Powered by
