"vCenter Server Appliance FQDN does not match the certificate in VMware Endpoint Certificate Store" while upgrading from vCenter 6.5/6.7 to 7.0
Article ID: 320115
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
Upgrade from vCenter 6.5 /6.7 to VCSA 7.0 fails with error:
Upgrade from vCenter 6.5 /6.7 to VCSA 7.0 fails with error:
The vCenter Server Appliance FQDN <FQDN of the vCenter> does not match the certificate in VMware Endpoint Certificate Store
Environment
VMware vCenter Server 7.0.x
Cause
This issue is caused when:
- The error is seen when the arguments are passed to the check (The sso.cert.dnsnames supposed to be comma separated but appears simple concatenation)
- Since the DNS entries are concatenated, PNID != DNS name, the failure occurs
- Common Name (CN) is same as PNID
- Certificates has multiple DNS Entries in SAN
- The workflow checks the match with pnid against CN first, if that match fails, then its checked against the DNS entries
Resolution
VMware is aware of this issue.
Currently, there is no resolution.
Workaround:
To workaround this issue, use one of these options
Workaround 1
Ensure the Common Name (CN) matches with the PNID while generating the certificates.
OR
OR
Workaround 2
- Generate new certificates where both DNS and IP contains only 1 value.
Example: DNS only contains test.example.com and also CN is also modified to test.example.com
- Replace the Machine SSL Certificate in VCSA 6.7 U3 and perform upgrade to 7.0.
Additional Information
Feedback
Yes
No
Powered by
