PNID Change Causing WCP and Managed Service to Fail: Certificate Validation Issue
search cancel

PNID Change Causing WCP and Managed Service to Fail: Certificate Validation Issue

book

Article ID: 387415

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

After performing a PNID (Platform Network ID) change on the vCenter Server, the WCP (vSphere Client) and managed services fail to start. Upon investigation, the following error is observed in the logs:

var/log/vmware/wcp/wcpsvc.log

<timestamp> error wcp [vclib/client.go:222] Failed to create new client: Post " https://<masked-ip>/sdk": x509: cannot validate certificate for <masked-ip> because it doesn't contain any IP SANs

Environment

vCenter 7.x

vCenter 8.x

Cause

The root cause of the issue is the failure of the SSL certificate to validate after the PNID change. The certificate associated with the vCenter Server does not include the IP address in its Subject Alternative Name (SAN), which is necessary for validation when connecting to the new IP address.

In the WCP logs, the error indicates that the certificate cannot be validated for the new IP address:x509: cannot validate certificate for <masked-ip> because it doesn't contain any IP SANs

 

 

Resolution

  1. Reset certificates using the vSphere Certificate Manager tool after the PNID change.
  2. During the certificate reset process, ensure that the IP address is added to the IP fields of the certificate reset procedure 

    For IP address use the IP

    This will allow the certificate to be validated with the IP address.
  3. Follow the steps outlined in the Broadcom article: How to Use vSphere Certificate Manager to Replace Self-Signed Certificates.

Additional Information

If you encounter issues with certificates not containing the necessary IP SAN, review your vSphere Certificate Manager configuration and make sure the IP address is added properly during the reset.

Enter these values as prompted by the VMCA (See 'IPAddress' [optional]  to confirm the IP):

Please configure certool.cfg file with proper values before proceeding to next step.
Press Enter key to skip optional parameters or use Default value.
Enter proper value for 'Country' [Default value : US] : (Note: Value for Country should be only 2 letters)
Enter proper value for 'Name' [Default value : CA] : (Note: As stated below, this value will be the PNID)
Enter proper value for 'Organization' [Default value : VMware] :
Enter proper value for 'OrgUnit' [Default value : VMware Engineering] :
Enter proper value for 'State' [Default value : California] :
Enter proper value for 'Locality' [Default value : Palo Alto] :
Enter proper value for 'IPAddress' [optional] : (Note: Add the vCenter IP address here)
Enter proper value for 'Email' [Default value : [email protected]] :
Enter proper value for 'Hostname' [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.example.com] :
Enter proper value for VMCA 'Name': (Note: This information will be requested from vCenter Server 6.0 U3, 6.5 and later builds, you may use the FQDN/PNID of vCenter Server for this field. It will be used as a Common Name for the VMCA Root Certificate)


Refer to the Broadcom KB article for detailed steps on resetting the self-signed certificates.

Powered by Wolken Software