Upgrading or deploying an VMware NSX Edge node or Manager appliance from NSX-T manager UI fails: no alternative certificate subject name matches target host name
search cancel

Upgrading or deploying an VMware NSX Edge node or Manager appliance from NSX-T manager UI fails: no alternative certificate subject name matches target host name

book

Article ID: 324178

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

Symptoms:
  • You are running VMware NSX 4.x.
  • You are trying to deploy an VMware NSX Manager or Edge node from the NSX-T manager UI and this fails with error:
Error while fetching ovf file. ASN length at position 2 curl_wrapper: (60) SSL: no alternative certificate subject name matches target host name '<nsx-manager-hostname>'
Screenshot 2023-05-03 160111.png
  • In the NSX Manager log /var/log/syslog you find the following entries:
2023-04-28T12:49:01.517Z <nsx-manager-fqdn> NSX 4541 FABRIC [nsx@6876 comp="nsx-manager" errorCode="MP31705" level="ERROR" subcomp="manager"] For [test], error: Error while fetching ovf file.  ASN length at position 2#012curl_wrapper: (60) SSL: no alternative certificate subject name matches target host name '<nsx-manager-fqdn>'#012
  • Deploying an edge node via OVF in vCenter does not encounter the same issue.
  • You may also encounter this issue during upgrade of a VMware NSX Edge node or manager appliance.
  • You may encounter an error similar to the following when upgrading the upgrade-coordinator while the NSX Manager repositories are being synced:
image.png
 
  • In the NSX Manager log  /var/log/proton/nsxapi.log you will see similar looking entries:
INFO RepoSyncThread-1687161993610 RepoSyncFileHelper 95373 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Command to get server info for https://nsxt-fqdn.com:443/repository/4.1.X/<path_to_file> returned result CommandResultImpl [commandName=null, pid=3022439, status=FAILED, errorCode=60, errorMessage=Unexpected ASN length at position 2
curl_wrapper: (60) SSL: no alternative certificate subject name matches target host name 'nsxt1-mgr1.com'

Or
INFO RepoSyncThread-1695020706074 RepoSyncFileHelper 4977 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Command to check if remote file exists for https://nsxt-fqdn.com:443/repository/4.1.X/<path_to_file> returned result CommandResultImpl [commandName=null, pid=1406936, status=SUCCESS, errorCode=0, errorMessage=null, commandOutput=Unexpected DNS name at position 78
Or
INFO RepoSyncThread-1698231201309 RepoSyncFileHelper 2664864 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Command to check if remote file exists for https://nsxt-fqdn.com:443/4.1.X/<path_to_file> returned result CommandResultImpl [commandName=null, pid=3775111, status=FAILED, errorCode=51, errorMessage=curl_wrapper: (51) SSL: no alternative certificate subject name matches target host name 'nsxt-fqdn.com'
, commandOutput=null]

Note:
The NSX version in the above log entry may be any 4.1.X version.
<path_to_file> represents the file the repository sync failed on.
The manager FQDN, could also be an IP address.
  • You may encounter an error while attempting to upgrade any transport node.


Environment

VMware NSX-T Data Center

Cause

There's an issue with the download script which is used to decode SAN entries in the Manager's REST API certificate.

Resolution

The issue with manager and edge nodes failing to deploy, as mentioned in the symptoms is resolved in VMware NSX 4.1.0.2 available at VMware downloads.
The issue with upgrades failing due to a RepoSyncFileHelper issue, is a known issue impacting VMware NSX.

Workaround:
If the issue encountered is when an edge or manager node is being deployed from the VMware NSX manager UI, then you can deploy the VMware NSX manager or Edge node manually on vSphere using an OVF file and join it to the management plane. Please refer to the following document for further help: VMware NSX Installation Guide.
If this workaround does not work for you or if you encounter the mentioned above symptoms for during an upgrade, please open a support request with VMware GSS and refer to this KB article.