1. 故障描述
vSphere Client 版本 7.0.2.00200
vCenter _MACHINE_CERT快到期了,通过web界面更新证书失败
第一步先这样,重新续订一下证书
续订发生错误
2. 解决办法
2.1. 前提工作
登陆ssh到vcenter,重新生成证书
先关掉HA,不然证书管理会报错。
Connected to service * List APIs: "help api list" * List Plugins: "help pi list" * Launch BASH: "shell"Command> shellShell access is granted to rootroot@localhost [ ~ ]# cd /usr/lib/vmware-vmca/bin/root@localhost [ /usr/lib/vmware-vmca/bin ]# /usr/lib/vmware-vmca/bin/certificate-managerCertificate Manager tool do not support vCenter HA systemsPSSSSSSSS:记得vCenter做备份,做快照
2.2. 生成计算机ssl证书
生成证书,选择第三个(PS,如果没有域名的,一定要写IP,不然很容易卡在85%,服务不能起来)
root@localhost [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | || *** Welcome to the vSphere 6.8 Certificate Manager *** || || -- Select Operation -- || || 1. Replace Machine SSL certificate with Custom Certificate || || 2. Replace VMCA Root certificate with Custom Signing || Certificate and replace all Certificates || || 3. Replace Machine SSL certificate with VMCA Certificate || || 4. Regenerate a new VMCA Root Certificate and || replace all certificates || || 5. Replace Solution user certificates with || Custom Certificate || NOTE: Solution user certs will be deprecated in a future || release of vCenter. Refer to release notes for more details.|| || 6. Replace Solution user certificates with VMCA certificates || || 7. Revert last performed operation by re-publishing old || certificates || || 8. Reset all Certificates ||_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|Note : Use Ctrl-D to exit.Option[1 to 8]: 3Please provide valid SSO and VC privileged user credential to perform certificate operations.Enter username [Administrator@vsphere.local]:Enter password:certool.cfg file exists, Do you wish to reconfigure : Option[Y/N] ? : yPress Enter key to skip optional parameters or use Previous value.Enter proper value for 'Country' [Previous value : CN] : Enter proper value for 'Name' [Previous value : CA] : Enter proper value for 'Organization' [Previous value : VMware] : Enter proper value for 'OrgUnit' [Previous value : VMware Engineering] : Enter proper value for 'State' [Previous value : California] : gdEnter proper value for 'Locality' [Previous value : Palo Alto] : gzEnter proper value for 'IPAddress' (Provide comma separated values for multiple IP addresses) [optional] : XX.XX.XX.XXEnter proper value for 'Email' [Previous value : email@acme.com] : q@qq.ccEnter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : XX.XX.XX.XXEnter proper value for VMCA 'Name' :XX.XX.XX.XXYou are going to regenerate Machine SSL cert using VMCAContinue operation : Option[Y/N] ? : yGet site nameompleted [Replacing Machine SSL Cert...] default-first-siteLookup all servicesGet service default-first-site:721f0c08-f5fe-4233-aca8-adb8de27427bUpdate service default-first-site:721f0c08-f5fe-4233-aca8-adb8de27427b; spec: /tmp/svcspec_nmq8sskuGet service default-first-site:a8fa2cf1-a539-4327-aa48-c33761a538a4Update service default-first-site:a8fa2cf1-a539-4327-aa48-c33761a538a4; spec: /tmp/svcspec_o_gl7c_2Get service default-first-site:204a2a4e-223e-46d6-93e2-fec0c90393c4Update service default-first-site:204a2a4e-223e-46d6-93e2-fec0c90393c4; spec: /tmp/svcspec__2p8lujuGet service 79e91659-12a1-427b-92e5-11f1cbc2c150Update service 79e91659-12a1-427b-92e5-11f1cbc2c150; spec: /tmp/svcspec_8zwpgcefGet service 1652cda7-3207-431e-9d82-031ceffb42b4_com.vmware.vropsDon't update service 1652cda7-3207-431e-9d82-031ceffb42b4_com.vmware.vropsGet service 0cb00c88-bb60-478c-9737-802019c5708aUpdate service 0cb00c88-bb60-478c-9737-802019c5708a; spec: /tmp/svcspec_k5szxjgsGet service 1ee5c2aa-fde0-489a-8f95-f701f84b44c9Update service 1ee5c2aa-fde0-489a-8f95-f701f84b44c9; spec: /tmp/svcspec_sdbbikhrGet service 5f15b57d-8269-47d4-88af-c9aab1fd223dUpdate service 5f15b57d-8269-47d4-88af-c9aab1fd223d; spec: /tmp/svcspec_mwgz82tzGet service 56e494d3-f758-461a-8337-e309d1e2d0b4Update service 56e494d3-f758-461a-8337-e309d1e2d0b4; spec: /tmp/svcspec_b6fwtzz6Get service d3426061-6261-456f-b5b2-e70d3e56c69eUpdate service d3426061-6261-456f-b5b2-e70d3e56c69e; spec: /tmp/svcspec_o08ocymwGet service 1c5fe660-5abd-453d-9f18-d21ca1a615b9Update service 1c5fe660-5abd-453d-9f18-d21ca1a615b9; spec: /tmp/svcspec_v__tqn34Get service 8ccf37e5-c01f-491b-88d1-fd67d6377c2fUpdate service 8ccf37e5-c01f-491b-88d1-fd67d6377c2f; spec: /tmp/svcspec_yczoj_f9Get service 4d101d2f-a50f-4ffd-b03a-f3728817b340Update service 4d101d2f-a50f-4ffd-b03a-f3728817b340; spec: /tmp/svcspec_wyhs5pfyGet service 761c8d6c-131f-4136-9e0e-4945917a5607Update service 761c8d6c-131f-4136-9e0e-4945917a5607; spec: /tmp/svcspec_gjkmay7hGet service ec372f25-38cf-4cd8-ac92-6ebeff0ff85eUpdate service ec372f25-38cf-4cd8-ac92-6ebeff0ff85e; spec: /tmp/svcspec_u4c16zhsGet service 1652cda7-3207-431e-9d82-031ceffb42b4_com.vmware.vsphere.clientDon't update service 1652cda7-3207-431e-9d82-031ceffb42b4_com.vmware.vsphere.clientGet service e97549a3-2aa5-4e47-a81b-5b6490837d43Update service e97549a3-2aa5-4e47-a81b-5b6490837d43; spec: /tmp/svcspec_h26ke7t5Get service 279f5d2f-f375-41d6-b5d3-8a7e397fb6c8Update service 279f5d2f-f375-41d6-b5d3-8a7e397fb6c8; spec: /tmp/svcspec_hw2tz45wGet service 4730664d-0fe7-4e70-b827-bcdf1686d17dUpdate service 4730664d-0fe7-4e70-b827-bcdf1686d17d; spec: /tmp/svcspec_mn19ltn_Get service e64650fc-800d-4855-9b60-bd591562102bUpdate service e64650fc-800d-4855-9b60-bd591562102b; spec: /tmp/svcspec_8iz8nl1tGet service 0c872fd2-b582-4172-8b7e-465f6de28b76Update service 0c872fd2-b582-4172-8b7e-465f6de28b76; spec: /tmp/svcspec_f3957lvaGet service bf46ae3e-9d26-459a-9703-25000ba81e09Update service bf46ae3e-9d26-459a-9703-25000ba81e09; spec: /tmp/svcspec_sfje8un0Get service 430891f7-bb3c-475a-9331-bdb671f1b415Update service 430891f7-bb3c-475a-9331-bdb671f1b415; spec: /tmp/svcspec_g91d7d9pGet service 1ee5233a-0737-4b71-b74e-28105ff9361bUpdate service 1ee5233a-0737-4b71-b74e-28105ff9361b; spec: /tmp/svcspec_184jc1s2Get service 6cc99f96-ee9a-406b-9018-2414b837c442_kvUpdate service 6cc99f96-ee9a-406b-9018-2414b837c442_kv; spec: /tmp/svcspec_2rjbyjljGet service c947d5e0-c832-4b98-9518-c28d5be261c6Update service c947d5e0-c832-4b98-9518-c28d5be261c6; spec: /tmp/svcspec_d18ux756Get service cc78a6fe-ee02-414a-a10a-5b9511810c0eUpdate service cc78a6fe-ee02-414a-a10a-5b9511810c0e; spec: /tmp/svcspec_nd5ehat0Get service daaffbbd-5fdb-4aaf-842a-94e4c6948920Update service daaffbbd-5fdb-4aaf-842a-94e4c6948920; spec: /tmp/svcspec__o82zeymGet service 206c94d5-8cc7-4646-a93e-389064c64bbeUpdate service 206c94d5-8cc7-4646-a93e-389064c64bbe; spec: /tmp/svcspec_oecjimvwGet service 6cc99f96-ee9a-406b-9018-2414b837c442_authzUpdate service 6cc99f96-ee9a-406b-9018-2414b837c442_authz; spec: /tmp/svcspec_du_d2yx4Get service 26edf5a0-b4e6-41b9-b972-e74c493dab27Update service 26edf5a0-b4e6-41b9-b972-e74c493dab27; spec: /tmp/svcspec_dc89lu60Get service 0d85950f-ca7d-4686-aa36-b627ce77fda9Update service 0d85950f-ca7d-4686-aa36-b627ce77fda9; spec: /tmp/svcspec_igw1rch3Get service 287c218f-a49f-41fd-b845-1962a1db7b2fUpdate service 287c218f-a49f-41fd-b845-1962a1db7b2f; spec: /tmp/svcspec_0fjjjag3Get service b6332254-0911-4bb1-8461-7e9d7ac18fb2Update service b6332254-0911-4bb1-8461-7e9d7ac18fb2; spec: /tmp/svcspec_0up89kupGet service 87899b67-58d6-4d1a-99a1-7a5a47fe8d79Update service 87899b67-58d6-4d1a-99a1-7a5a47fe8d79; spec: /tmp/svcspec_de6rp33rGet service 0fbed2c1-0e7e-4fd1-9eaa-78a6af02d788Update service 0fbed2c1-0e7e-4fd1-9eaa-78a6af02d788; spec: /tmp/svcspec_s5ew895rGet service 6cc99f96-ee9a-406b-9018-2414b837c442Update service 6cc99f96-ee9a-406b-9018-2414b837c442; spec: /tmp/svcspec_ue3hi4ztGet service 79ed9113-fa3f-4f5e-817a-7a11145880c7Update service 79ed9113-fa3f-4f5e-817a-7a11145880c7; spec: /tmp/svcspec_r0azsaibGet service 1829b7b8-e755-4db6-9665-439f3f2624d1Update service 1829b7b8-e755-4db6-9665-439f3f2624d1; spec: /tmp/svcspec_pfbbxyofGet service 1146b510-76ab-4e88-9a1e-5933b4d64f3eUpdate service 1146b510-76ab-4e88-9a1e-5933b4d64f3e; spec: /tmp/svcspec_rncl11rdGet service 31728e0d-6f78-4da8-93aa-98fb456d5672Update service 31728e0d-6f78-4da8-93aa-98fb456d5672; spec: /tmp/svcspec_7i1z6ff9Get service 196f8571-ac23-4a80-882f-aba9deb7989bUpdate service 196f8571-ac23-4a80-882f-aba9deb7989b; spec: /tmp/svcspec_jkmbsi93Get service 1652cda7-3207-431e-9d82-031ceffb42b4_com.vmware.vcopsDon't update service 1652cda7-3207-431e-9d82-031ceffb42b4_com.vmware.vcopsGet service bc991693-97a8-4993-949d-d5eb461d4824Don't update service bc991693-97a8-4993-949d-d5eb461d4824Get service 1652cda7-3207-431e-9d82-031ceffb42b4Update service 1652cda7-3207-431e-9d82-031ceffb42b4; spec: /tmp/svcspec_xth2o90bGet service 659e024f-fa27-4d0a-bcb8-54634aea9679Update service 659e024f-fa27-4d0a-bcb8-54634aea9679; spec: /tmp/svcspec_5g731icvGet service b7c2a448-af0e-4d7e-a892-0d307bd9ee9dUpdate service b7c2a448-af0e-4d7e-a892-0d307bd9ee9d; spec: /tmp/svcspec_3e61aymdUpdated 43 service(s)Status : 85% Completed [starting services...] Status : 100% Completed [All tasks completed successfully] 2.3. 删除旧的证书
# 查看一下现有的证书root@localhost [ ~ ]# for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;[*] Store : MACHINE_SSL_CERTAlias :__MACHINE_CERT Not After : May 11 08:44:26 2025 GMT[*] Store : TRUSTED_ROOTSAlias :6f6ae78eb3a9abdbc7bf43797b765e62851a6af6 Not After : May 25 02:23:47 2031 GMT[*] Store : machineAlias :machine Not After : May 25 02:23:47 2031 GMT[*] Store : vsphere-webclientAlias :vsphere-webclient Not After : May 25 02:23:47 2031 GMT[*] Store : vpxdAlias :vpxd Not After : May 25 02:23:47 2031 GMT[*] Store : vpxd-extensionAlias :vpxd-extension Not After : May 25 02:23:47 2031 GMT[*] Store : hvcAlias :hvc Not After : May 25 02:23:47 2031 GMT[*] Store : data-enciphermentAlias :data-encipherment Not After : May 25 02:23:47 2031 GMT[*] Store : APPLMGMT_PASSWORDAlias :location_password_default[*] Store : SMSAlias :sms_self_signed Not After : May 30 02:28:11 2031 GMT[*] Store : wcpAlias :wcp Not After : May 30 02:19:32 2023 GMT[*] Store : BACKUP_STOREAlias :bkp___MACHINE_CERT Not After : May 30 14:23:47 2023 GMTAlias :bkp_machine Not After : May 25 02:23:47 2031 GMTAlias :bkp_vsphere-webclient Not After : May 25 02:23:47 2031 GMTAlias :bkp_vpxd Not After : May 25 02:23:47 2031 GMTAlias :bkp_vpxd-extension Not After : May 25 02:23:47 2031 GMTAlias :bkp_hvc Not After : May 25 02:23:47 2031 GMTAlias :bkp_wcp Not After : May 30 02:19:32 2023 GMTAlias :__MACHINE_CERT Not After : May 11 08:21:25 2025 GMT# 删除证书root@localhost [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli store delete --name BACKUP_STORE -ySuccessfully deleted store [BACKUP_STORE]root@localhost [ ~ ]# for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;[*] Store : MACHINE_SSL_CERTAlias :__MACHINE_CERT Not After : May 11 08:44:26 2025 GMT[*] Store : TRUSTED_ROOTSAlias :6f6ae78eb3a9abdbc7bf43797b765e62851a6af6 Not After : May 25 02:23:47 2031 GMT[*] Store : machineAlias :machine Not After : May 25 02:23:47 2031 GMT[*] Store : vsphere-webclientAlias :vsphere-webclient Not After : May 25 02:23:47 2031 GMT[*] Store : vpxdAlias :vpxd Not After : May 25 02:23:47 2031 GMT[*] Store : vpxd-extensionAlias :vpxd-extension Not After : May 25 02:23:47 2031 GMT[*] Store : hvcAlias :hvc Not After : May 25 02:23:47 2031 GMT[*] Store : data-enciphermentAlias :data-encipherment Not After : May 25 02:23:47 2031 GMT[*] Store : APPLMGMT_PASSWORDAlias :location_password_default[*] Store : SMSAlias :sms_self_signed Not After : May 30 02:28:11 2031 GMT[*] Store : wcpAlias :wcp Not After : May 30 02:19:32 2023 GMT2.4. 再更新wcp证书
https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.authentication.doc/GUID-543BB100-515E-4FFF-8D88-7D73E4CB8248.html
root@localhost [ /tmp ]# vim certool.cfg root@localhost [ /tmp ]# cat certool.cfg## Template file for a CSR request## Country is needed and has to be 2 charactersCountry = USName= CAOrganization = VMwareOrgUnit = VMware EngineeringState = gdLocality = Palo AltoIPAddress = 127.0.0.1Email = email@acme.comHostname = xx.xx.xx.xxroot@localhost [ /tmp ]# /usr/lib/vmware-vmca/bin/certool --genkey --privkey=/tmp/wcp.priv --pubkey=/tmp/wcp.pubStatus : Successroot@localhost [ /tmp ]# /usr/lib/vmware-vmca/bin/certool --gencert --privkey=/tmp/wcp.priv --cert /tmp/wcp.crt --Name=wcp --config /tmp/certool.cfgUsing config file : /tmp/certool.cfgStatus : Successroot@localhost [ /tmp ]# /usr/lib/vmware-vmafd/bin/dir-cli service listEnter password for administrator@vsphere.local: 1. machine-4b340ebe-d18a-427a-b130-d92673fd97fd2. vsphere-webclient-4b340ebe-d18a-427a-b130-d92673fd97fd3. vpxd-4b340ebe-d18a-427a-b130-d92673fd97fd4. vpxd-extension-4b340ebe-d18a-427a-b130-d92673fd97fd5. hvc-4b340ebe-d18a-427a-b130-d92673fd97fd6. wcp-4b340ebe-d18a-427a-b130-d92673fd97fd# 停止服务root@localhost [ /var/log/vmware/vpxd ]# service-control --stop --allOperation not cancellable. Please wait for it to finish...Performing stop operation on service observability...Successfully stopped service observabilityPerforming stop operation on service vmware-pod...Successfully stopped service vmware-podPerforming stop operation on service vmware-vdtc...Successfully stopped service vmware-vdtcPerforming stop operation on profile: ALL...Successfully stopped service vmware-vmonSuccessfully stopped profile: ALL.Performing stop operation on service vmcad...Successfully stopped service vmcadPerforming stop operation on service vmdird...Successfully stopped service vmdirdPerforming stop operation on service vmafdd...Successfully stopped service vmafddPerforming stop operation on service lwsmd...Successfully stopped service lwsmd# 再启动相关服务root@localhost [ /var/log/vmware/vpxd ]# service-control --start vmafddOperation not cancellable. Please wait for it to finish...Performing start operation on service vmafdd...Successfully started service vmafddroot@localhost [ /var/log/vmware/vpxd ]# service-control --start vmdirdOperation not cancellable. Please wait for it to finish...Performing start operation on service vmdird...Successfully started service vmdirdroot@localhost [ /var/log/vmware/vpxd ]# service-control --start vmcadOperation not cancellable. Please wait for it to finish...Performing start operation on service vmcad...Successfully started service vmcad# 更新证书root@localhost [ /tmp ]# /usr/lib/vmware-vmafd/bin/dir-cli service update --name wcp-4b340ebe-d18a-427a-b130-d92673fd97fd --cert /tmp/wcp.crtEnter password for administrator@vsphere.local: Service [wcp-4b340ebe-d18a-427a-b130-d92673fd97fd] updated successfullyroot@localhost [ /tmp ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store wcp --alias wcpWarning: This operation will delete entry [wcp] from store [wcp]Do you wish to continue? Y/N [N] yDeleted entry with alias [wcp] in store [wcp] successfully root@localhost [ /tmp ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry create --store wcp --alias wcp --cert /tmp/wcp.crt --key /tmp/wcp.privEntry with alias [wcp] in store [wcp] was created successfully # 启动服务root@localhost [ /tmp ]# service-control --start --all# 查看证书时间更新了root@localhost [ ~ ]# for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;[*] Store : MACHINE_SSL_CERTAlias :__MACHINE_CERT Not After : May 11 08:44:26 2025 GMT[*] Store : TRUSTED_ROOTSAlias :6f6ae78eb3a9abdbc7bf43797b765e62851a6af6 Not After : May 25 02:23:47 2031 GMT[*] Store : machineAlias :machine Not After : May 25 02:23:47 2031 GMT[*] Store : vsphere-webclientAlias :vsphere-webclient Not After : May 25 02:23:47 2031 GMT[*] Store : vpxdAlias :vpxd Not After : May 25 02:23:47 2031 GMT[*] Store : vpxd-extensionAlias :vpxd-extension Not After : May 25 02:23:47 2031 GMT[*] Store : hvcAlias :hvc Not After : May 25 02:23:47 2031 GMT[*] Store : data-enciphermentAlias :data-encipherment Not After : May 25 02:23:47 2031 GMT[*] Store : APPLMGMT_PASSWORDAlias :location_password_default[*] Store : SMSAlias :sms_self_signed Not After : May 30 02:28:11 2031 GMT[*] Store : wcpAlias :wcp Not After : May 11 08:50:55 2025 GMT3. 参考KB
https://kb.vmware.com/s/article/2112277
https://kb.vmware.com/s/article/2015600?lang=zh_CN
https://kb.vmware.com/s/article/2097936?lang=zh_cn
https://medium.com/@ITsolutions/vmware-vcenter-certificate-replacement-7d2e7fa3fb89
https://captainvops.com/2022/12/16/vcenter-8-machine-ssl-certificate-management/
https://vninja.net/2022/08/08/expired-vmware-vcenter-7-certificates/
4. 命令
# 开启sftpchsh -s /bin/bash root查看CA证书有多少/usr/lib/vmware-vmafd/bin/dir-cli trustedcert listroot@localhost [ ~ ]# /usr/lib/vmware-vmafd/bin/dir-cli trustedcert listEnter password for administrator@vsphere.local: Number of certificates:1#1:CN(id):3AEF9845A3E59122EDCB50C946C7886AFBB3D211Subject DN:CN=CA, DC=vsphere, DC=local, C=US, ST=California, O=localhost, OU=VMware EngineeringCRL present:yes# 导出CA证书are-vmafd/bin/dir-cli trustedcert get --id A35412348D33EA5EB11E66EF901A1F8D99B0465 --outcert /tmp/vmca_root.cer# 查看证书情况for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;root@localhost [ ~ ]# for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;[*] Store : MACHINE_SSL_CERTAlias :__MACHINE_CERT Not After : May 11 08:44:26 2025 GMT[*] Store : TRUSTED_ROOTSAlias :6f6ae78eb3a9abdbc7bf43797b765e62851a6af6 Not After : May 25 02:23:47 2031 GMT5. 报错
5.1. Error Failed to start vmon services.vmon-cli RC=1
When you go to read the “certificate-manager.log”, you see an entry like this:
Error Failed to start vmon services.vmon-cli RC=1
After a lot of searching on the internet, I sum up with this good article which helps me to solve my problem. The procedure is very simple, you just need to change the file permission of /etc/vmware/.buildInfo from 640 back to 444, SSH to your vCenter Server with root user and type following commands:
shell
chmod 444 /etc/vmware/.buildInfo
https://kb.vmware.com/s/article/2150057?lang=zh_CN
5.2. 脚本执行之后卡在85%
这里大概率可能是证书里面的FQDN和主机不匹配,又或者是主机解析FQDN有问题。
https://blog.csdn.net/CrossProblems/article/details/135395563