Unable to commission hosts due to "Certificate for host_FQDN doesn't match any of the subject alternative names"
search cancel

Unable to commission hosts due to "Certificate for host_FQDN doesn't match any of the subject alternative names"

book

Article ID: 327187

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

  • Unable to commission new hosts in SDDC Manager. The workflow fails with below error 
    Failed to connect to <host_FQDN> doesn't match any of the subject alternative names: [list, of, names]
  • Error in /var/log/vmware/vcf/operationsmanager/operationsmanager.log 
    ERROR [vcf_om,dd7f90bc5d2c4573,559c] [c.v.e.s.c.c.v.esx.EsxCommandExecutor,http-nio-127.0.0.1-7300-exec-9] Failed to connect to <host_FQDN> com.vmware.vim.vmomi.client.exception.SslException: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <host_FQDN> doesn't match any of the subject alternative names: [list, of, names] Caused by: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <host_FQDN> doesn't match any of the subject alternative names: [list, of, names]

Cause

Issue is caused when there is no matching FQDN for the hosts in the Certificate's subject alternative names.

Resolution

Re-generate ESXi host certificate.
 
Follow the below steps:
  1. Log in to the ESXi Host Client.
  2. Enable SSH on the ESXi host.
    1. In the navigation pane, click Manage and click the Services tab.
    2. Select the TSM-SSH service and click Start if not started.
  3. Log in to the ESXi host using an SSH client such as Putty.
  4. Regenerate the self-signed certificate by executing the following command 
    /sbin/generate-certificates
  5. Reboot the ESXi to apply the changes
    reboot
  6. Verify the correct hostname is listed. 
    openssl x509 -in /etc/vmware/ssl/rui.crt -noout -text

    X509v3 Subject Alternative Name should match the ESXi host FQDN

    Sample output

    Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: ####
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = CA, DC = vsphere, DC = local, C = US, ST = California, O = esx.example.com, OU = VMware Engineering
        Validity
            Not Before: MM DD HH:MIN:SEC GMT
            Not After : MM DD HH:MIN:SEC GMT
        Subject: C = US, ST = California, L = Palo Alto, O = VMware, OU = VMware Engineering, CN = esx.example.com, emailAddress = 
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
             Public-Key: (2048 bit)
             Modulus:  00:##:##:99
             Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
            DNS: esx.example.com
            X509v3 Authority Key Identifier:  53:##:##:53
            Authority Information Access:  CA Issuers - URI:https://esx.example.com/afd/vecs/ca
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value: 32:##:c9



Additional Information

Powered by Wolken Software