"Certificate differs from the expected one" error when pairing cloud sites in vCloud Availability 4.x.x
search cancel

"Certificate differs from the expected one" error when pairing cloud sites in vCloud Availability 4.x.x

book

Article ID: 314991

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

  • When pairing two cloud sites, you see a similar error in the Peer Sites view of the vCloud Availability Provider Portal in both sites:
Certificate differs from the expected one.
  • In the Peer Sites view of the vCloud Availability Provider Portal, authenticating with the remote site fails.

  • Error occurs during New cloud pairing: 

    Generic error during the SSL handshake 

     

     

  • In /opt/vmware/h4/cloud/log/cloud.log on the vApp Replication Manager, you see a similar entry:
2020-03-10 17:58:58.488 DEBUG - [UI-1xxxxxx7-0x0c-4xx5-axxc-axxxxxxxxxd-A9] [job-7] com.vmware.h4.jobengine.JobExecution     : Task 2xxxxx1-3xxf-4xx0-axx3-bxxxxxxxxxx (WorkflowInfo{type='pair', resourceType='site', resourceId='Site2', isPrivate=false, resourceName=''}) completed with result VcloudSiteInfo{isLocal=false, state=PeerState{incomingCommError=null, outgoingCommError=ApiError{code='CertificateMismatch', msg='Certificate differs from the expected one.', args=[], stacktrace='com.vmware.exception.CertificateMismatchException: Certificate seen on the network differs from the certificate we expected
    at com.vmware.exception.converter.ClientExceptionConverter.convertException(ClientExceptionConverter.java:62)
    at com.vmware.rest.client.AbstractRestClient.genericExchange(AbstractRestClient.java:151)
    at com.vmware.rest.client.json.RestClient.exchange(RestClient.java:97)
    ...
Caused by: java.security.cert.CertificateException: Certificate seen on the network differs from the certificate we expected
    at com.vmware.rest.client.security.ShaTrustManager.checkServerTrusted(ShaTrustManager.java:53)
    at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1510)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:629)
    ... 46 more
'}}, apiPublicUrl='https://vcav-site_fqdn_or_IP', apiVersion='null', site='Site2', description='', apiUrl='https://vcav-site.corp.org', apiThumbprint='SHA-256:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA'}
  • Trying to access the vCloud Director Availability plugin from vCloud Director also fails with error - https://Service-Endpoint-Address:8048 is not accessible.

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Environment

VMware vCloud Availability 4.x.x

Cause

  • This issue occurs when the public API endpoint port is not explicitly set during pairing as vCloud Availability does not default to using port 443 for the public endpoints while pairing sites.
  • This issue occurs when the public API endpoint FQDN/IP is not explicitly set correctly during pairing. When entering the endpoint URL, you must specify the Tunnel_FQDN_or_IP:8048 for the remote site.

Resolution

To resolve this issue, ensure that the public API endpoint in each site explicitly states the port to be used and when pairing sites, the endpoint URL includes the port information.

  1. In a browser, log into the vCloud Availability Provider Portal of the first site.
  2. In the left pane, click Configuration.
  3. Under Service endpoints > Public API endpoint, ensure the URL mentioned is the Tunnel_Fqdn_or_IP:443.
  4. In case you are using a DNAT translation you have to use the port 8048 instead of 443. For more information on Network and Port requirements - Network requirements and prerequisites in the Cloud Director site
  5. Repeat steps 1-3 for the second site.
  6. Reconfigure the Tunnel appliance.
  7. In the left pane under Configuration, click Settings.
  8. Under Tunnel settings, next to Primary Tunnel Service address click Edit.
  9. In the Tunnel Service Settings window, enter the root user password.
  10. The Appliance user is already set to root.
  11. Click Apply.
  12. Verify the thumbprint and accept the certificate of the new Tunnel Service instance
  13. Pair the sites as per the Re-pair Cloud Director Availability
  14. Once the service endpoints are configured, register this Cloud Service instance with VMware Cloud Director and click Save and continue.. 
  15. Login to the VMware Cloud Director.
  16. In VMware Cloud Director, click the More menu icon and there you will see the VCDA plugin.
  17. Click on the plugin.
  18. It will direct you to the page where you can see the Tunnel_FQDN_or_IP Address:8048 port. 
  19. Click on the link and it will direct you to login page for the Tunnel Appliance.
  20. To ensure your browser redirects you, the NAT rule applies, and the browser trusts the appliance certificate, enter both the https:// prefix and the /ui/admin page suffix.
  21. If this is the first time you are opening this page in this browser, cancel the certificate prompt for adding the certificate in your browser.
  22. Select Appliance login and enter the root user password, set during the initial OVA deployment.
  23. Click Login.
  24. Once you are logged in you can refresh the page and start using the vCDA plugin. 

Note:

  • When entering the endpoint URL, you must specify the address and port number for the remote site.

 

 

Additional Information



Powered by Wolken Software