Unable to commission hosts due to "Certificate for host_FQDN doesn't match any of the subject alternative names"
search cancel

Unable to commission hosts due to "Certificate for host_FQDN doesn't match any of the subject alternative names"

book

Article ID: 327187

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

  • Unable to commission new hosts in SDDC Manager. The workflow fails with below error 
    Failed to connect to <host_FQDN> doesn't match any of the subject alternative names: [list, of, names]
  • Error in /var/log/vmware/vcf/operationsmanager/operationsmanager.log 
    ERROR [vcf_om,dd7f90bc5d2c4573,559c] [c.v.e.s.c.c.v.esx.EsxCommandExecutor,http-nio-127.0.0.1-7300-exec-9] Failed to connect to <host_FQDN> com.vmware.vim.vmomi.client.exception.SslException: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <host_FQDN> doesn't match any of the subject alternative names: [list, of, names] Caused by: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <host_FQDN> doesn't match any of the subject alternative names: [list, of, names]

Cause

Issue is caused when there is no matching FQDN for the hosts in the Certificate's subject alternative names.

Resolution

Re-generate ESXi host certificate.
 
Follow the below steps:
  1. Log in to the ESXi Host Client.
  2. Enable SSH on the ESXi host.
    1. In the navigation pane, click Manage and click the Services tab.
    2. Select the TSM-SSH service and click Start if not started.
  3. Log in to the ESXi host using an SSH client such as Putty.
  4. Regenerate the self-signed certificate by executing the following command 
    /sbin/generate-certificates
  5. Reboot the ESXi to apply the changes
    reboot
  6. Verify the correct hostname is listed. 
    openssl x509 -in /etc/vmware/ssl/rui.crt -noout -text

    X509v3 Subject Alternative Name should match the ESXi host FQDN

    Sample output

    Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            xx:xx:xx:xx:xx:xx:xx:xx
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = CA, DC = vsphere, DC = local, C = US, ST = California, O = vcsa01.example.com, OU = VMware Engineering
        Validity
            Not Before: Sep 26 08:03:23 2024 GMT
            Not After : Sep 26 08:03:23 2029 GMT
        Subject: C = US, ST = California, L = Palo Alto, O = VMware, OU = VMware Engineering, CN = esxi101.example.com, emailAddress = noemail@noemail.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:....b3:99
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:esxi101.example.com
            X509v3 Authority Key Identifier:
                53:xxxxxxxx:71:53
            Authority Information Access:
                CA Issuers - URI:https://vcsa01.example.com/afd/vecs/ca
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        32:....:c9



Additional Information

Powered by Wolken Software