VMware Horizon and vCenter Server Certificate Issue

After upgrading the vCenter server for Horizon you may find that the vCenter Server tab on the dashboard of VMware Horizon Administrator would turn red and would present with a certificate issue. Upon checking the vCenter Server option under View Configuration tab you may get the message that the certificate is untrusted and will present you with an option to either accept or reject the certificate. Once we accept the certificate, we may get the message, “There was an error identifying the validity of the server”.

To fix the issue you can follow the below set of steps:

  1. Use a web browser that uses the operating certificate store on Windows (Such as Internet Explorer or Google Chrome).
  2. From the browser go to the base URL of the vCenter Server system or the vCenter Server Virtual Appliance without appending the port numbers or ‘vsphere-client’ extension. For example: https://vcenter.domain.com/
  3. Direct URL to download the vCenter server certificate can also be used which is https://vCenter_FQDN/certs/download.zip
  4. Right Click the download trusted root CA certificate link at the bottom of the grey box on the right and select save link as. This will prompt you to download a file called ‘download.zip’.
  • The file is a ZIP file of all root certificates and all CRLs in the VMware Endpoint Certificate Store (VECS).
  • Extract the contents of the ZIP file.
  • The result is a folder that contains two types of files. Files with a number as the extension (.0,.1 and so on) are root certificates. Files with an extension that starts with an r ( .r0,.r1 and so on) are CRL files associated with a certificate.

Next is to add the certificates on all the Connection Servers in VMware Horizon environment.

  1. RDP to the Connection server.
  2. Open the MMC Certificates Snap-in for Local Computer Account.
  3. Click Trusted Root Certificate Authority, Certificates folder and then Right Click > All Tasks >Import.
  4. In the Welcome Screen to the Certificate Import Wizard, Click Next.
  5. Browse and select the vCenter Certificates which you downloaded in the steps mentioned above.
  6. Select automatically select the certificate store based on the type of the certificate and click next.
  7. Complete the Certificate Import Wizard.
  8. The certificates should be imported to the root cert store successfully.
  9. After the process has been completed on all the connection servers, the servers need to be rebooted.
  10. Reboot the connection servers as per the KB: https://kb.vmware.com/s/article/2068381.
  11. Once the Connection server have been rebooted and services have been restarted verify the vCenter certificate in VMware Horizon Administrator Console.

VMware vSAN Troubleshooting Commands

vSAN achieves high availability and performance through distribution of data across multiple hosts in the vSAN cluster. Data is transmitted over the vSAN network. There are cases where a large amount of data must be copied over the vSAN network. During the Resync operation there are chances that the VMs on the vSAN cluster might become inaccessible if there is not enough raw capacity available on the vSAN datastore.

By default, there should be 20% of capacity available for vSAN to function optimally. When the disks have less than 20% of free space available, vSAN automatically attempts to balance the capacity utilization by moving data from the disk to other disks in the vSAN cluster.

vSAN waits for 60 minutes by default before starting any repair and rebuild operation. vSAN has this delay of 60 minutes as many issues are transient.

Changing the default time for vSAN:

You can change the default time to a longer time frame by using the below command and restart the  Cluster Level Object Manager(CLOM) clomd service. These set of commands need to be run on all ESXi hosts in the vSAN cluster:

esxcli system settings advanced set -o /VSAN/ClomRepairDelay -i <value in minutes>

/etc/init.d/clomd restart

Note: The default 60 minutes is designed to cover a multitude of different configurations, setting the above option too aggressively can cause unnecessary resync operations to occur, when changing this advanced option consider these factors:

  • Installation of ESXi updates (if performing updates)
  • ESXi host boot time (Including Power On Self-Test)
  • SSD Log recovery for vSAN

Changing the disk threshold for rebalancing of vSAN objects:

You can change the default rebalance threshold of 20% free capacity available on the data disks of the vSAN cluster by using the below command.

esxcfg-advcfg -s 85 /VSAN/ClomRebalanceThreshold && /etc/init.d/clomd restart

The above command will change the free capacity of vSAN disks to be 15% free. Hence vSAN will start the rebalance of objects once the overall utilisation of disks is 85% or above.