When deploying VCF 4.4.1.0 in my lab I came across the following error under the security requirements validation section:
- Failed to get SSH key for host
- Error connecting to ESXi host. SSL Certificate common name doesn’t match ESXi FQDN
This error occurs when you have not regenerated the self-signed certificates for your hosts, or they have been regenerated incorrectly (such as in the screenshot below – where the certificate includes only the hostname and not the domain name). VCF is strict about having a certificate that matches the FQDN of the host exactly.
To resolve this issue, use the following steps:
1. Assign the correct FQDN
Run the command: esxcli system hostname set --fqdn=<FQDN>
Confirm the FQDN is applied correctly using the command: esxcli system hostname get
Even if you have already assigned a hostname and domain name to the host via the DCUI, I recommend you run the above commands to confirm that it is applied correctly. If you typed only the hostname and not the FQDN into the DCUI (as demonstrated below), you may generate a certificate that does not include the complete FQDN.
2. Regenerate the self-signed certificates
SSH into the host and run the command: /sbin/generate-certificates
3. Reboot host services to ensure the changes are applied
Run the command: /etc/init.d/hostd restart && /etc/init.d/vpxa restart