發生一般系統錯誤: Unable to push CA certificates and CRLs to host IP

發生一般系統錯誤: Unable to push CA certificates and CRLs to host IP

轉載至 https://kb.vmware.com/s/article/2123386

"Signed certificate could not be retrieved due to a start time error" when adding ESXi host to vCenter Server 6.0 (2123386)

---

Last Updated: 6/9/2017Categories: Troubleshooting

Details

When you replace the VMware Certificate Authority root certificate with an enterprise subordinate certificate, you experience these symptoms:

• The certificate has been valid for less than 24 hours
• You are unable to join a VMware vSphere ESXi host to VMware vCenter Server
• You see the error:
  
  A general system error occurred: Unable to get signed certificate for host: esxi_hostname. Error: Start Time Error (70034)

Solution

When adding a host to VMware vCenter Server, the VMware Certificate Authority predates VMware vSphere ESXi certificates by 24 hours to avoid time synchronization issues.

This behavior is changed in VMware vCenter 6.0 Update 2 and later with the advanced setting vpxd.certmgmt.certs.minutesBefore, available at VMware Downloads. For more information, see the VMware vCenter Server 6.0 Update 2 release notes.

To change the vpxd.certmgmt.certs.minutesBefore to 10:

1. Connect to the vCenter Server using the vSphere Client and administrator credentials.
2. Select Administration > vCenter Server Settings to display the vCenter Server Settings dialog box.
3. In the settings list, select Advanced Settings.
4. In the Key field, type a key.
5. In the Key field, enter this key:
   
   vpxd.certmgmt.certs.minutesBefore
6. In the Value field, enter:
   
   10
7. Click Add.
8. Click OK.

To work around this issue if you do not want to upgrade, use one of these options:

• Wait 24 hours after replacing the VMware Certificate Authority certificate with an enterprise subordinate certificate before attempting to add additional hosts to vCenter Server.
• Join hosts to VMware vCenter Server prior to replacing the VMware Certificate Authority certificate with an enterprise subordinate certificate.
  
  Note: VMware vSphere ESXi hosts added to VMware vCenter Server prior to replacing the VMware Certificate Authority certificate are not affected.

Additional Information

For translated versions of this article, see:

• 日本語: エラー「開始時間のエラーにより署名された証明書を取得できませんでした」により ESXi 6.0 ホストを vCenter Server 6.0 に追加できない (2127141)
• 简体中文: 无法将 ESXi 6.0 主机添加到 vCenter Server 6.0 并显示“由于开始时间错误无法检索签名证书”错误 (2127133)
• Deutsch: Fehlermeldung beim Hinzufügen eines VMware vSphere ESXi-Hosts zu VMware vCenter Server 6.0: „Signiertes Zertifikat konnte aufgrund eines Startzeitfehlers nicht abgerufen werden“ (2144664)

Update History

03/15/2016 - Added the details of the vCenter Server 6.0 Update 2 release, which resolves this issue.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page