PCNS cannot connect to ESXi 5.5 host

Anonymous user · ‎2021-06-29

I've just installed the PCNS4.2 virtual appliance for VMware, and want to have it communicate directly with my single host and the single UPS that protects it. The UPS side of things is working perfectly; the host, not so much.

Initially I was unable to get it to connect to the host while running the setup wizard. I found this discussion which led me to the Java security.policy file, and after commenting out the disabledAlgorithms directive per that note, I was able to complete the initial setup.

However, if I now visit the Communications Settings page of PCNS, I get a nasty red warning that "ESXi Host is inaccessible. Please verify that the ESXi Host logon credentials are correct and that the IP/Hostname is accessible over the network" on that page, and "Cannot connect to Host. PowerChute will not be able to issue commands to the Host" in the event log.

Examining /opt/APC/PowerChute/group1/error.log, I see

03-12-16 11:35:24,509 DEBUG qtp1559701045-55 com.apcc.m11.components.WebServer.servlets.AJAXCheckHostConnection - Connection to ESXi Host could not be made.
java.rmi.RemoteException: VI SDK invoke exception:javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

which tells me that I'm still having an SSL handshake problem, despite it working the first time during initial setup.

I've checked that the security.policy file remains unchanged, and verified that both systems' clocks are in sync anc timezones are set correctly, so I'm at a loss where to go from here. I'm particularly puzzled and perturbed that it works during initial config, then turns around and fails during normal operation.

Any and all suggestions welcome. Oh and BTW, the host is running ESXi 5.5 Update 3b, patch level 43545813. Thanks!

BillP · ‎2021-06-29

Hi,

Can you ping the updated host name from the PowerChute VM and is the host being added to PowerChute using the domain name or IP address?

Something else you can try is change these to entries in the pcnsconfig.ini file

[HostConfigSettings] VMware_connect_timeout = 10 VMware_read_timeout = 15 and increase the timeout settings to 30 seconds each, change the values to the following: VMware_connect_timeout = 30 VMware_read_timeout = 30

I would expect to see read timed out or connection timed out errors and not the HandshakeException error but increasing the timeouts may help.

See Answer In Context

BillP · ‎2021-06-29

Jon,

Sorry to hear about the inconvenience. If you run the set-up wizard a second time does PCNS register with the host? Also, is the host fully licensed e.g running Standard, Enterprise, or Enterprise Plus license?

Anonymous user · ‎2021-06-29

Hi, Bill, and thanks for responding.

I hadn't thought to try the cfgwizard a second time, but I just did and it is now failing with the same "javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake" error.

The host was initially installed from the free ESXi media, but I have subsequently applied an Essentials Plus license to it:

BillP · ‎2021-06-29

Jon,

When you run this command from the PCNS Appliance does it connect to the host?

openssl s_client -connect :443 (you need to replace host ip with the ip address of your host)

If it does would you send what is shows the Server public key to be? It should read Server pubic key is XXXX bits and the next line should read Secure Renegotiation IS support.

It would also be help full to know the Protocol. It should read Protocol : XXXXX with the Xs being replace with the proper protocol.

Anonymous user · ‎2021-06-29

Hi, Bill. Here's the response:

subject=/C=US/ST=California/L=Palo Alto/O=VMware, Inc/OU=VMware ESX Server Default Certificate/emailAddress=ssl-certificates@vmware.com/CN=localhost.obfuscated.net/unstructuredName=1401849230,564d7761726520496e632e issuer=/O=VMware Installer --- No client certificate CA names sent --- SSL handshake has read 1161 bytes and written 447 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: Session-ID-ctx: Master-Key: 7A166AF1CCDF487356E3D90668EED663AD9CF8BE0B66F1445C25AA3D186AC875CB8954C235AD295309B87A28CF4D45D5 Key-Arg : None Krb5 Principal: None Start Time: 1481079094 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate)

I do note that the cert appears to be for the original name that the host picked up from my DHCP server when I first installed it. Does PCNS check whether the name matches the DNS entry for the host, perhaps?

BillP · ‎2021-06-29

Hi,

Would you try the following:

- add localhost.obfuscated.net to the hosts file of the PCNS VM if the PCNS VM is unable to resolve it i.e. if the hostname cannot be pinged.
- use localhost.obfuscated.net in the PCNS UI to connect to the ESXi host instead of the IP address.

Anonymous user · ‎2021-06-29

Hi again, Bill.

I'm afraid that didn't help. Thinking that perhaps the name mismatch (certificate name not matching the current DNS name) might have been contributing, I generated a new SSL certificate for the current name and restarted the management services on the host, but the problem still persists with the same error message:

11-12-16 02:30:02,906 DEBUG qtp1559701045-56 com.apcc.m11.components.WebServer.servlets.AJAXCheckHostConnection - Connection to ESXi Host could not be made.
java.rmi.RemoteException: VI SDK invoke exception:javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

BillP · ‎2021-06-29

Hi,

Can you ping the updated host name from the PowerChute VM and is the host being added to PowerChute using the domain name or IP address?

Something else you can try is change these to entries in the pcnsconfig.ini file

[HostConfigSettings] VMware_connect_timeout = 10 VMware_read_timeout = 15 and increase the timeout settings to 30 seconds each, change the values to the following: VMware_connect_timeout = 30 VMware_read_timeout = 30

I would expect to see read timed out or connection timed out errors and not the HandshakeException error but increasing the timeouts may help.