Deploying VCF infra fails at "Preparing Security Requirements for Running Validation" Stage.
search cancel

Deploying VCF infra fails at "Preparing Security Requirements for Running Validation" Stage.

book

Article ID: 376863

calendar_today

Updated On:

Products

VMware SDDC Manager VMware Cloud Foundation

Issue/Introduction

  • Error in VCF Cloud Builder
  • Error in /var/log/vmware/vcf/bringup/vcf-bringup.log 
    [bringup,66d7############27db,4a02] ERROR [c.v.evo.sddc.common.util.SslUtil,pool-2-thread-15] Error occurred while getting certificate chain for 'ESXi_FQDN:443'. java.net.UnknownHostException: ESXi_FQDN
[bringup,66d7############27db,4a02] ERROR [c.v.e.s.i.g.v.CollectEmsSecurityDetailsAction,pool-2-thread-15] Failed to fetch certificates for the ESXi host: ESXi_FQDN
[bringup,66d7faf0955781b567c73e0390768fa7,4615] INFO  [c.v.v.b.c.v1.BringupPublicController,http-ni
ng validation status with ID 462c####-####-####-########39c0
[bringup,66d7############27db,4a02] ERROR [c.v.e.s.c.c.v.esx.EsxCommandExecutor,pool-2-
thread-15] Failed to connect to ESXi_FQDN com.vmware.vim.vmomi.client.exception.ConnectionException: https://ESXi_FQDN/sdk invocation failed with "java.net.UnknownHostException: ESXi_FQDN"

Environment

SDDC 5.2.x

Cause

This error is encountered when an ESXi certificate is not properly configured, i.e. hostname doesn't match SAN. 

Resolution

    • Validate the SAN in the ESXi certificate. If it is incorrect, change the SAN in the certificate of the ESXi.

      Example of incorrect SAN name



    • Follow the below steps to change the SAN name in the ESXi certificate and regenerate the certificate -

      1. SSH to the ESXi host
      2. Run the below command 
        vsish -e set /config/VisorFS/intOpts/VisorFSPristineTardisk 0
      3. Navigate to bin directory 
        cd /usr/sbin
      4. Make a copy of the file generate-certificate file 
        cp generate-certificates generate-certificates-bkp
      5. Edit the backup file 
        vi generate-certificates-bkp
      6. Edit SAN field to required entries as follows: DNS:<ESXi_FQDN>,DNS:<ESXi_IP>,DNS:<ESXi_Shortname>
      7. Replace the backup file with the original file 
        mv generate-certificates-bkp generate-certificates
      8. Regenerate the self-signed certificate by executing the following command 
        /sbin/generate-certificates
      9. Reboot the host. 
      10. Validate the certificate of the ESXi, now the SAN name should reflect the correct value. 

Additional Information

This procedure must be done on all the hosts in the management cluster

You must run the vsish command in order to copy & move the generate-certificates file

The reason for copying the generate-certificate file to a backup and modifying the backup file is that the generate-certificate file itself cannot be modified

Use the actual FQDN, IP, and short name in both locations in the file

Powered by Wolken Software