Apply Changes fails with error cert_chain must include a subjectAltName extension
search cancel

Apply Changes fails with error cert_chain must include a subjectAltName extension

book

Article ID: 377597

calendar_today

Updated On:

Products

VMware Tanzu Application Service for VMs

Issue/Introduction

During Apply Changes, the tiles perform template rendering. This process can be affected if the correct certificates for secure communication are not in place or the format of the certificate placed in the tile is incorrect.

Cause

After completing rotation of configurable certificates which is done manually for tiles like TAS or Isolation Segment format issues on the certificates copied to the certificate fields cause a failure to complete TLS verification and prevent the action from being completed.

An example of the error message can be seen below:

Task xxxxxxxxx | 21:33:12 | Preparing deployment: Rendering templates (00:02:11)
                           L Error: Unable to render instance groups for deployment. Errors are:
   - Unable to render jobs for instance group 'router'. Errors are:
     - Unable to render templates for job 'gorouter'. Errors are:
       - Error filling in template 'gorouter.yml.erb' (line 408: tls_pem[2].cert_chain must include a subjectAltName extension)

A certificate with a format error will result in errors when trying to decode it.

Resolution

In the Operations Manager UI go to the tile where the certificates were rotated. In this case we will show the TAS and Isolation Segment tiles for example:

TAS tile:

 

Isolation Segment tile:

Open the certificate fields and individually decode the all certificates located in this field making sure the certificate is able to decode. You can use openssl to decode the certificate using the following article: How to decode a certificate

If you get errors similar to the one observer below:

$ openssl x509 -noout -text -in cert1.crt
Could not find certificate from cert1.crt

Make sure there are no spaces, extra dashes or hidden characters in the certificate that was added to the tile. If necessary get the new certificate again from the source and copy and paste again on the certificate field, save and try the Apply Changes again.

If this fails, make sure you have the complete and correct list of subject alternative names required for this certificate, use it to generate a new certificate, replace the fault one on the tile, save it and try to Apply Changes again.

Powered by Wolken Software