Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
info kmxa[66724] [Originator@6876 sub=Libs] Starting attestation handshake for group host-8008:2792ba99-69fe-4f85-85d2-8b0f4ef39426 info kmxa[66724] [Originator@6876 sub=Libs] Connecting to attestd sb-esxi-02.domain.local:443info kmxa[66724] [Originator@6876 sub=Libs] Tpm2Cmd: Successfully created attestation key at: 0x80000002error kmxa[66724] [Originator@6876 sub=Libs] Error retrieving token from ATTEST: Error:error kmxa[66724] [Originator@6876 sub=Libs] com.vmware.vapi.std.errors.errorerror kmxa[66724] [Originator@6876 sub=Libs] Messages:error kmxa[66724] [Originator@6876 sub=Libs] com.vmware.esx.attestation.report.attest_unknown_softwareerror kmxa[66724] [Originator@6876 sub=Libs]error kmxa[66724] [Originator@6876 sub=Libs] Attestation handshake with sb-esxi-02.domain.local:443 failed to yield a tokeninfo kmxa[66724] [Originator@6876 sub=Libs] Attestation failed for group host-8008:2792ba99-69fe-4f85-85d2-8b0f4ef39426 The attestd.log on the Trust Authority Cluster hosts reports errors like the following: info attestd[141532] [Originator@6876 sub=Libs] New attestation session: 12438589125867557969info attestd[141573] [Originator@6876 sub=Libs] [ConfigStore:141528:193932797696:] GetInstances invoked for: component esx group attestation key esx_base_images, userdatacontext: 1error attestd[141573] [Originator@6876 sub=Libs] Unknown VMkernel digest: baa1c0eb79f2639598fd34eacdd9dea47f61a4bef9897dcc8af95fb04d57d0edinfo attestd[141573] [Originator@6876 sub=Libs] End session 12438589125867557969: failed For comparison, the attestd.log on Trust Authority Cluster hosts for a successful attestation reports the following: info attestd[272721] [Originator@6876 sub=Libs] New attestation session: 14828104972993742882info attestd[272720] [Originator@6876 sub=Libs] [ConfigStore:272716:26149893888:] GetInstances invoked for: component esx group attestation key esx_base_images, userdatacontext: 1info attestd[272720] [Originator@6876 sub=Libs] Loaded base image data with version 7.0.0-0.0.14896552 and VMkernel digest baa1c0eb79f2639598fd34eacdd9dea47f61a4bef9897dcc8af95fb04d57d0edinfo attestd[272720] [Originator@6876 sub=Libs] Attestation complete for session ID 14828104972993742882 with ESX version 7.0.0-0.0.14896552info attestd[272720] [Originator@6876 sub=Libs] End session 14828104972993742882: success The following error type and message will appear in logs the Trusted vCenter: --> com.vmware.vapi.std.errors.error--> Messages:--> com.vmware.esx.attestation.report.attest_unknown_software<Attestation failed to identify the remote software version.>
When you patch or update the ESXi software on a Trusted Cluster host, the new software that it is running is not automatically trusted by the vSphere Trust Authority Cluster, until you manually make the new host software version trusted.
Prerequisites: You must be a Trust Authority administrator. Procedure: Perform the following steps on the Trusted Cluster host where you patched or updated the ESXi software. In a PowerCLI session, connect to the ESXi host that is currently failing attestation using the root user. Connect-VIServer -server esxi_host -User root -Password ‘password'. Assign the ESXi host to a variable. $vmhost = Get-VMHost Export the host’s image. Ensure that the destination directory exists before running this command. Export-VMHostImageDb -VMHost $vmhost -FilePath C:\vta\image.tgz Perform the following steps on the vSphere Trust Authority Cluster. Run the following commands to disconnect any current connection and connect to the vCenter Server of the Trust Authority Cluster using the Trust Authority administrator user. Disconnect-VIServer -server * -Confirm:$falseConnect-VIServer -server TrustAuthorityCluster_VC_ip_address -User trust_admin_user -Password 'password' Assign the Trust Authority Cluster to a variable. $TAcluster = Get-TrustAuthorityCluster "SB-Cluster" Import the image.tgz file previously exported from the ESXi host in step 1c. New-TrustAuthorityVMHostBaseImage -TrustAuthorityCluster $TAcluster -FilePath C:\vta\image.tgz