Upgrading or deploying an VMware NSX Edge node or Manager appliance from NSX manager UI fails: no alternative certificate subject name matches target host name
Article ID: 324178
Updated On:
Products
VMware NSX
Issue/Introduction
- You are running VMware NSX 4.x.
- You are trying to deploy an VMware NSX Manager or Edge node from the NSX-T manager UI and this fails with error:
Error while fetching ovf file. ASN length at position 2 curl_wrapper: (60) SSL: no alternative certificate subject name matches target host name '<nsx-manager-hostname>'- In the NSX Manager log
/var/log/syslogyou find the following entries:
2023-04-28T12:49:01.517Z <nsx-manager-fqdn> NSX 4541 FABRIC [nsx@6876 comp="nsx-manager" errorCode="MP31705" level="ERROR" subcomp="manager"] For [test], error: Error while fetching ovf file. ASN length at position 2#012curl_wrapper: (60) SSL: no alternative certificate subject name matches target host name '<nsx-manager-fqdn>'#012- Deploying an edge node via OVF in vCenter does not encounter the same issue.
- You may also encounter this issue during upgrade of a VMware NSX Edge node or manager appliance.
- You may encounter an error similar to the following when upgrading the upgrade-coordinator while the NSX Manager repositories are being synced:
[<IP>] Unable to connect to File /repository/<version.build>/Manager/vmware-mount/libgobject-2.0.so.0 on source <nsx-manager-fqdn>. Please verify file exists on source and install-upgrade service is up. - In the NSX Manager log
/var/log/proton/nsxapi.logyou will see similar looking entries:
INFO RepoSyncThread-1687161993610 RepoSyncFileHelper 95373 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Command to get server info for https://nsxt-fqdn.com:443/repository/4.1.X/<path_to_file> returned result CommandResultImpl [commandName=null, pid=3022439, status=FAILED, errorCode=60, errorMessage=Unexpected ASN length at position 2curl_wrapper: (60) SSL: no alternative certificate subject name matches target host name 'nsxt-fqdn'Or
INFO RepoSyncThread-1695020706074 RepoSyncFileHelper 4977 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Command to check if remote file exists for https://nsxt-fqdn.com:443/repository/4.1.X/<path_to_file> returned result CommandResultImpl [commandName=null, pid=1406936, status=SUCCESS, errorCode=0, errorMessage=null, commandOutput=Unexpected DNS name at position 78Or
INFO RepoSyncThread-1698231201309 RepoSyncFileHelper 2664864 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Command to check if remote file exists for https://nsxt-fqdn.com:443/4.1.X/<path_to_file> returned result CommandResultImpl [commandName=null, pid=3775111, status=FAILED, errorCode=51, errorMessage=curl_wrapper: (51) SSL: no alternative certificate subject name matches target host name 'nsxt-fqdn.com', commandOutput=null]Note:
The NSX version in the above log entry may be any 4.1.X version.
<path_to_file> represents the file the repository sync failed on.The manager FQDN, could also be an IP address.
- You may encounter an error while attempting to upgrade any transport node.
Environment
VMware NSX
Cause
There's an issue with the download script which is used to decode SAN entries in the Manager's REST API certificate.
Resolution
This issue is resolved in VMware NSX 4.2
Workaround:
If the issue encountered is when an edge or manager node is being deployed from the VMware NSX manager UI, then you can deploy the VMware NSX manager or Edge node manually on vSphere using an OVF file and join it to the management plane. Please refer to the following document for further help: VMware NSX Installation Guide.
If this workaround does not work for you or if you encounter the mentioned above symptoms for during an upgrade, please contact Broadcom Support and refer to this KB article.
Feedback
Yes
No
Powered by
