Vmware Cloud Foundation: The certificate bundle upload validation fails with "Permitted subtrees cannot be built from name constraints extension"
search cancel

Vmware Cloud Foundation: The certificate bundle upload validation fails with "Permitted subtrees cannot be built from name constraints extension"

book

Article ID: 313495

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

Symptoms:

The certificate bundle upload validation fails with the following error ("Permitted subtrees cannot be built from name constraints extension") as noticed in the operations manager logs:

log file: /var/log/vmware/vcf/operatinsmanager.log

2023-02-27T09:05:40.246+0000 DEBUG [vcf_om,e1311c61666d4e43,d57e] [c.v.e.s.e.h.LocalizableRuntimeExceptionHandler,http-nio-127.0.0.1-7300-exec-3] Processing localizable exception Permitted subtrees cannot be built from name constraints extension.
2023-02-27T09:05:40.247+0000 ERROR [vcf_om,e1311c61666d4e43,d57e] [c.v.e.s.e.h.LocalizableRuntimeExceptionHandler,http-nio-127.0.0.1-7300-exec-3] [UVD65N] CERTIFICATE_GENERAL_EXCEPTION Permitted subtrees cannot be built from name constraints extension.
com.vmware.vcf.certmgmt.rest.api.exception.CertMgmtRestException: Permitted subtrees cannot be built from name constraints extension.
    at com.vmware.vcf.certmgmt.rest.api.controller.v1.CertificateManagementController.uploadCertificates(CertificateManagementController.java:691)
    at com.vmware.vcf.certmgmt.rest.api.controller.v1.CertificateManagementController$$FastClassBySpringCGLIB$$641cd3ee.invoke(<generated>)
    at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)
......
Caused by: java.lang.NullPointerException: null
    at java.base/java.util.HashSet.<init>(HashSet.java:119)
    at org.bouncycastle.asn1.x509.PKIXNameConstraintValidator.intersectOtherName(Unknown Source)
    at org.bouncycastle.asn1.x509.PKIXNameConstraintValidator.intersectPermittedSubtree(Unknown Source)


Environment

VMware Cloud Foundation 3.0.x
VMware Cloud Foundation 4.0.x
VMware Cloud Foundation 2.x

Cause

If there is naming constraint field present in the certificates which are marked "<unsupported>" or "INVALID" the validation is expected to fail from VCF side.

To decode the certificate contents use the following command:

openssl x509 -in <certificate file>.crt -noout -text

In the extensions tab the decoded content should have a name constraints field. If there are any "unsupported" or "invalid" fields as shown the certificate will not be accepted by the SDDC manager.
X509v3 Name Constraints: critical
Permitted:
othername:<unsupported>
email:
DNS:<dns domain>
DNS:.<dns domain>
DirName:
URI:<dns name>
URI:.<dns domain>
IP:IP Address:<invalid>

Note: If using a certificate chain, check the above for all the intermediates.

Resolution

Currently there are no resolution to the issue.


Workaround:

To workaround the issue, please update the CA configuration, generate the certificate again avoiding these entries. Create the bundle to upload and replace certificates again.


Powered by Wolken Software