Creating Windows Stemcell using stembuild binary fails on construct step with error "x509: cannot validate certificate for <IP> because it doesn't contain any IP SANs"
Article ID: 293890
Updated On:
Products
Operations Manager
Issue/Introduction
When creating a Windows Stemcell for your vSphere environment using this documentation, Creating a Windows Stemcell for vSphere Using stembuild, running the stembuild construct command fails with the following error:
The command you ran looks similar to the following:
Creating provision dir on target VM...succeeded. Transferring ~20 MB to the Windows VM. Depending on your connection, the transfer may take 15-45 minutes Uploading... Error: Put "https://<IP>:443/guestFile?id=xxxxx&token=xxxxx": x509: cannot validate certificate for <IP> because it doesn't contain any IP SANs ./stembuild-linux: Put "https://<IP>:443/guestFile?id=xxxxx&token=xxxxx": x509: cannot validate certificate for <IP> because it doesn't contain any IP SANs Could not prepare VM: vcenter_client - ./LGPO.zip could not be uploaded
The command you ran looks similar to the following:
./stembuild-linux construct -vm-ip <target-vm-ip> -vm-username <username> -vm-password xxxxx -vcenter-url <url> -vcenter-ca-certs <path-to-vcenter-ca-certs> -vcenter-username <vcenter-username> -vcenter-password xxxxx -vm-inventory-path <path-to-target-vm>
Environment
Product Version: 2.7
OS: Windows
OS: Windows
Resolution
The error in the Issue section means that the vCenter cert specified with the -vcenter-ca-certs flag for the stembuild construct command doesn't have a SAN (Subject Alternative Name) for the <IP>.
If you try to decode the cert and look for the SAN field in the certificate, you will not be able to find the necessary IP address from the error message.
Skip SSL validation by exporting the following enviroment variable before running the construct command:
Using GOVC_INSECURE will help because the stembuild binary uses a client that compiles commands to use govc CLI to execute commands against your vCenter and will respect the exported environment variable.
If you try to decode the cert and look for the SAN field in the certificate, you will not be able to find the necessary IP address from the error message.
openssl x509 -in <vcenter-ca-cert> -noout -text
Workaround
Skip SSL validation by exporting the following enviroment variable before running the construct command:
- If you're on a Linux host using the vSphere Stembuild CLI - Linux tool to create Windows Stemcells, you can export the GOVC_INSECURE variable via:
export GOVC_INSECURE=true
- If you're on a Windows host (using PowerShell) using the vSphere Stembuild CLI - Windows tool to create Windows Stemcells, you can export the GOVC_INSECURE variable via:
$Env:GOVC_INSECURE = "true"
Using GOVC_INSECURE will help because the stembuild binary uses a client that compiles commands to use govc CLI to execute commands against your vCenter and will respect the exported environment variable.
Feedback
Yes
No
Powered by
