Search the VMware Knowledge Base (KB)
View by Article ID

Thumbprint error when running ESXCLI command as a vCLI command (2108416)

  • 19 Ratings
Language Editions

Details

You install vCLI on a supported Windows or Linux system, and run an ESXCLI command against an ESXi host or against a vCenter Server system. An error like the following results: 
Connect to w2-server42.mydomain.com failed. Server SHA-1 thumbprint 5D:01:06:63:55:9D:DF:FE:38:81:6E:2C:FA:71:BC:63:82:C5:16:51 <not trusted>
The error occurs because ESXCLI in vSphere 6.0 is more secure than in earlier versions of vSphere and requires a trust relationship between the system on which you run an ESXCLI vCLI command and the target vCenter Server system or ESXi host. 

Solution

You can establish the trust relationship between the client machine on which you are running the vCLI command and the server specified in the --server option (ESXi host or vCenter Server system) in a number of ways. 

Downloading and Installing the vCenter Server Certificate

If you intend to target a vCenter Server system, and specify the ESXi host with the --vihost option, you use a Web Browser download the vCenter Server certificate from a Web Browser and install it on the machine from which you are running ESXCLI. Use the process described in How to download the vCenter Server root certificate to avoid Web Browser certificate warnings.

Using the --cacertsfile Option

Instead of installing the vCenter Server certificate, you can specify the certificate on the command line with the --cacertsfile option or the VI_CACERTFILE variable. You can also use this option if you target an ESXi host directly. 

Using the --thumbprint Option

You can supply the thumbprint for the target server (ESXi host or vCenter Server system) on the command line in the --thumbprint option (VI_THUMBPRINT variable). 
When you run a command, ESXCLI checks first whether a certificate file is available. If not, ESXCLI checks whether a thumbprint of the target server is available. If not, an error like the following results: 
Connect to w2-server42.mydomain.com failed. Server SHA-1 thumbprint 5D:01:06:63:55:9D:DF:FE:38:81:6E:2C:FA:71:BC:63:82:C5:16:51 <not trusted>
To establish the trust relationship, you can run the command with the thumbprint that is returned in the error message or add the thumbprint to the VI_THUMBPRINT variable. For example, using the thumbprint of the ESXi host that returned the error above, you can run the following command: 
esxcli --server myESXi --username user1 --password 'my_password' --thumbprint 5D:01:06:63:55:9D:DF:FE:38:81:6E:2C:FA:71:BC:63:82:C5:16:51 storage nfs list

Using the Credential Store

Your vCLI installation includes a credential store. You can manage the credential store with the credstore-admin utility, which is located in the /Perl/apps/general directory inside the VMware vSphere CLI directory. 
Note: Updating the credential store is a two-step process. First you add the user and password for the target server, and then you add the thumbprint for the target server, as follows:
  1. Add the user and password for the target ESXi host to the local credential store. 
    credstore_admin.pl add --server <esxi_HOSTNAME_OR_IP> --username <user> --password <pwd>
  2. Add the thumbprint, which was returned in the error message when you attempted to connect to the host.
    credstore_admin.pl add --server <target_server> --thumbprint <thumbprint>
    The user specified in Step 1 can now run vCLI commands against the target server without authentication if the credential store file is in the default location.
  3. (Optional) If the credential store is in a non-default location,  you have to specify the location on the command line with the --credstore option. 




Language Editions

zh_cn,2148476

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 19 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 19 Ratings
Actions
KB: