Commissioning host failing with Error "Ensure host has a valid certificate with a fully qualified domain name in its Common Name and Subject Alternative Name"
search cancel

Commissioning host failing with Error "Ensure host has a valid certificate with a fully qualified domain name in its Common Name and Subject Alternative Name"

book

Article ID: 324049

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

Symptoms:

  • Cannot new commission hosts into SDDC, the workflow is failing with error "Ensure host has a valid certificate with a fully qualified domain name in its Common Name and Subject Alternative Name"
  • Regenerating SSL certificate doesn't fix the issue
  • We can see in the host certificate that host has a valid certificate with a fully qualified domain name in its Common Name and Subject Alternative Name
  • certificateValidationEnabled flag is set to false on SDDC 
  • Errors seen in the operationsmanager log:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
        at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
        at java.base/sun.security.validator.Validator.validate(Validator.java:264)
        at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:233)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:110)
        at com.vmware.vcf.secure.truststore.DynamicTrustManager.checkServerTrusted(DynamicTrustManager.java:51)
        at com.vmware.vcf.secure.config.LazyTrustManager.checkServerTrusted(LazyTrustManager.java:121)
        at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1510)

Environment

VMware Cloud Foundation 4.x

Cause

The issue is caused by the certificateValidationEnabled flag is set to false, in normal setup the certificateValidationEnabled flag should be true and the normal host validation workflow uses temporary truststore for validating the certificate.

In case certificateValidationEnabled is false and the host validation workflow is using java truststore for validating the certificate. when the root certificate is not present in the java truststore,the validation workflow throws the exception.

Resolution

Please open a case with Broadcom Support. 

Powered by Wolken Software