Backups with VMware VixDiskLib 6.0 fail with host certificate error

Article ID: VMW0015 Backups with VMware VDDK 6.0 fail if the vCenter SSL setting “vCenter requires verified host SSL certificates” is disabled.

Symptom

When performing a VMware backup, all backups fail with the following error message:

ERROR CODE [91:129]: Failed to backup all the virtual machines. Please check event viewer for individual virtual machine failure message.

In the Job Details dialog box (Job Controller > right-click backup job > Details), the Virtual Machine Status tab shows the following failure reason for individual virtual machines: 

Error opening Virtual Machine disk(s). Please ensure the following: 1) the proxy is able to communicate with the ESX host and resolve the ESX host address 2) the correct transport mode has been selected 3) the disk types configured to the virtual machine are supported. 

The vixDiskLib.log file contains the following lines:

SSL Error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Error message: The remote host certificate has these problems:
The host certificate chain is incomplete.
Host name does not match the subject name(s) in certificate.
unable to get local issuer certificate

Cause

Certificate verification is mandatory in VMware VDDK 6.0. Commvault software handles the verification for the connection to vCenter; but certificate verification is also required when a connection is relayed to a specific ESX host. 

If the vCenter SSL setting vCenter requires verified host SSL certificates is disabled, host certificate thumbprints are not automatically verified when the host is added to the inventory. As a result, the certificate thumbprint for the host is not relayed when establishing an NFC connection to that host.  Any host that does not have a verified SSL certificate thumbprint will fail to be accessed by the VDDK.  

For more information about this requirement, see Virtual Disk Development Kit 6.0 Release Notes.

Resolution

When upgrading from vCenter  4.1 to any release of vCenter 5 or to vCenter 6.0, you must select the vCenter requires verified host SSL certificates option.

Note: VMware recommends upgrading older versions to 5.5.4; forward compatibility to V6.0 is supported only from V5.5.4. 

To check the setting for certificate verification in vSphere:

  1. From the vSphere client, click Home > Administration > vCenter Server Settings > SSL Settings.
    • In vCenter 6.0, the vCenter requires verified host SSL certificates option is not displayed because certificate verification is mandatory
    • In any version of vCenter 5, the vCenter requires verified host SSL certificates option is displayed if the option was already selected during a previous upgrade. 
  2. If the vCenter requires verified host SSL certificates option is displayed in any version of vCenter, manually verify the SSL certificate for each ESX host.

More Information

For more information, see the following links: