<![CDATA[Adding new host to pool fails - Stunnel SSL certiticate verification failure]]>

<![CDATA[Adding new host to pool fails - Stunnel SSL certiticate verification failure]]>Posting this here because in the hopes someone has an answer and that this helps anyone else encountering the issue.

I have a pool of a few hosts which I recently upgraded to XCP-NG 8.3 from 8.2. And, now, I am attempting to add a new host to this pool to increase my resource capacity. However, after adding the new server in Xen Orchestra, I go to my primary pool to begin the process of adding the new server but that fails with an error "Internal_Error(Stunnel.Stunnel [some text that runs off the screen] routines::certificate verify failed"))"

The full error is as follows:

"Stunnel.Stunnel_verify_error("0A000086:SSL routines::certificate verify failed")"

And the complete readout of the event is as follows:

{
  "id": "0mpn7bwnk",
  "properties": {
    "method": "pool.mergeInto",
    "params": {
      "sources": [
        "65c279b5-5a9d-db33-92f1-3f057fbafda6"
      ],
      "target": "f735841b-af37-0547-5d1e-8cb11bc51f0d",
      "force": true
    },
    "name": "API call: pool.mergeInto",
    "userId": "905ebdb9-6698-4902-8e60-9a028d1aa441",
    "type": "api.call"
  },
  "start": 1779834203408,
  "status": "failure",
  "updatedAt": 1779834206165,
  "end": 1779834206165,
  "result": {
    "code": "INTERNAL_ERROR",
    "params": [
      "Stunnel.Stunnel_verify_error(\"0A000086:SSL routines::certificate verify failed\")"
    ],
    "call": {
      "duration": 2713,
      "method": "pool.join_force",
      "params": [
        "* session id *",
        "192.168.1.11",
        "root",
        "* obfuscated *"
      ]
    },
    "message": "INTERNAL_ERROR(Stunnel.Stunnel_verify_error(\"0A000086:SSL routines::certificate verify failed\"))",
    "name": "XapiError",
    "stack": "XapiError: INTERNAL_ERROR(Stunnel.Stunnel_verify_error(\"0A000086:SSL routines::certificate verify failed\"))\n    at Function.wrap (file:///usr/local/lib/node_modules/xo-server/node_modules/xen-api/_XapiError.mjs:16:12)\n    at file:///usr/local/lib/node_modules/xo-server/node_modules/xen-api/transports/json-rpc.mjs:38:21\n    at runNextTicks (node:internal/process/task_queues:60:5)\n    at processImmediate (node:internal/timers:454:9)\n    at process.callbackTrampoline (node:internal/async_hooks:130:17)"
  }
}

Obviously, it's unhappy about the certs. But I can't figure out why. For additional context, I have never messed with the certs on these servers previously. Based on some other forum posts, I went and checked the cert at /etc/stunnel/xapi-stunnel-ca-bundle.pem on the pool master as well as this new host. Seeing that it exists but unsure of whether it was still integral, I even ran xe host-refresh-server-certificate host=hostname on both just in case. Despite that, this error persists. Does anyone have any insight into the error or a possible fix from what they may have encountered themselves previously?

]]>https://xcp-ng.org/forum/topic/12244/adding-new-host-to-pool-fails-stunnel-ssl-certiticate-verification-failureRSS for NodeWed, 27 May 2026 00:48:11 GMTTue, 26 May 2026 22:40:51 GMT60