Unable to commission hosts due to "Certificate for host_FQDN doesn't match any of the subject alternative names"
search cancel

Unable to commission hosts due to "Certificate for host_FQDN doesn't match any of the subject alternative names"

book

Article ID: 327187

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

  • Unable to commission new hosts in SDDC Manager. The workflow fails with below error
    Failed to connect to <host_FQDN> doesn't match any of the subject alternative names: [list, of, names]
  • Error in /var/log/vmware/vcf/operationsmanager/operationsmanager.log
    ERROR [vcf_om,dd7f90bc5d2c4573,559c] [c.v.e.s.c.c.v.esx.EsxCommandExecutor,http-nio-127.0.0.1-7300-exec-9] Failed to connect to <host_FQDN> com.vmware.vim.vmomi.client.exception.SslException: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <host_FQDN> doesn't match any of the subject alternative names: [list, of, names] Caused by: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <host_FQDN> doesn't match any of the subject alternative names: [list, of, names]

Cause

Issue is caused when there is no matching FQDN for the hosts in the Certificate's subject alternative names.

Resolution

Re-generate ESXi host certificate.
 
Follow the below steps:
  1. Log in to the ESXi Host Client.
  2. Enable SSH on the ESXi host.
    1. In the navigation pane, click Manage and click the Services tab.
    2. Select the TSM-SSH service and click Start if not started.
  3. Log in to the ESXi host using an SSH client such as Putty.
  4. Regenerate the self-signed certificate by executing the following command
    /sbin/generate-certificates
  5. Reboot the ESXi to apply the changes
    reboot
  6. Verify the correct hostname is listed.
    openssl x509 -in /etc/vmware/ssl/rui.crt -noout -text

    X509v3 Subject Alternative Name should match the ESXi host FQDN

    Sample output

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: ####
            Signature Algorithm: sha256WithRSAEncryption
            Issuer: CN = CA, DC = vsphere, DC = local, C = US, ST = California, O = esx.example.com, OU = VMware Engineering
            Validity
                Not Before: MM DD HH:MIN:SEC GMT
                Not After : MM DD HH:MIN:SEC GMT
            Subject: C = US, ST = California, L = Palo Alto, O = VMware, OU = VMware Engineering, CN = esx.example.com, emailAddress = 
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                 Public-Key: (2048 bit)
                 Modulus:  00:##:##:99
                 Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Subject Alternative Name:
                DNS: esx.example.com
                X509v3 Authority Key Identifier:  53:##:##:53
                Authority Information Access:  CA Issuers - URI:https://esx.example.com/afd/vecs/ca
        Signature Algorithm: sha256WithRSAEncryption
        Signature Value: 32:##:c9



Additional Information