Error: "Certificate differs from the expected one" when pairing a new On-Premises site to a Cloud Director site
search cancel

Error: "Certificate differs from the expected one" when pairing a new On-Premises site to a Cloud Director site

book

Article ID: 379676

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

  • When you pair a new On-Premises VMware Cloud Director Availability (VCDA) instance to a Cloud Director site, you see the following error:

    Certificate differs from the expected one

  • In the /opt/vmware/h4/replicator/log/replicator.log file on the On-Premises VMware Cloud Director Availability Appliance, you see messages similar to:

    2024-10-02 11:24:31.528 DEBUG - [UI-########-####-####-####-########47c5-r138-xE] [job-2] c.v.r.client.security.ShaTrustManager  : Expected thumbprint: SHA-256:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:E3:0E. Actual certificate:
    subject: O: unknown, OU: unknown, CN: manager.vm
    issuer: C: <Country Name>, ST: <State Or Province Name>, L: <Locality>, O: <Organization>, OU: <Organizational Unit>, CN: <Common Name>
    valid from: YYYY-MM-DD hh:mm:ss
    valid to: YYYY-MM-DD hh:mm:ss
    SHA-256:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:47:E1
     
    2024-10-02 11:24:31.529 ERROR - [UI-########-####-####-####-########47c5-r138-xE] [job-2] com.vmware.h4.jobengine.JobExecution  : Task ########-####-####-####-########3871 (WorkflowInfo{type='pairWithCloud', resourceType='site', resourceId='null', isPrivate=false, resourceName='null'}) has failed
     
    com.vmware.exception.CertificateMismatchException: Certificate seen on the network differs from the certificate we expected
        at com.vmware.exception.converter.ClientExceptionConverter.convertException(ClientExceptionConverter.java:67)
        at com.vmware.rest.client.AbstractRestClient.genericExchange(AbstractRestClient.java:160)
        ...

  • The issuer information for the certificate observed on the network is not the issuer of the actual certificate for the Manager Service in the Cloud Director site.

Environment

VMware Cloud Director Availability 4.x

Cause

This issue occurs when there is a product or solution in-between the two sites inspecting the traffic. The VMware Cloud Director Availability services use end-to-end encryption for the communication across sites and does not support any TLS terminating products or solutions placed between the appliances.

Resolution

To resolve this issue, the solution that is inspecting the traffic must have the traffic inspection disabled and be configured in configured in pass-thru mode.

Additional Information

Powered by Wolken Software