SDDC Manager Certificate Installation task Fails Without Error Details in UI

Products

VMware SDDC Manager

Issue/Introduction

When replacing the certificate for the SDDC component only (i.e., without performing a certificate replacement for any other component), the certificate validation succeeds in the UI.
However, the certificate installation operation subsequently fails, and no useful error details are displayed in the UI:

Message: Failed to replace certificate for [redacted] due to:
Remediation Message:
Reference Token:
Cause:

As shown above, the cause description for the failed certificate replacement operation is missing.
In the /var/log/vmware/vcf/operationsmanager/operationsmanager.log, the failure is recorded as an API exception; however, the specific error details are not provided.

[

YYYY-MM-DDTHH:MM:SS] ERROR [vcf_om,#######################] [c.v.v.c.s.SddcManagerCertificatePluginService,om-exec-24] SDDC Manager Certificate Replacement failed:

com.vmware.cloud.foundation.rest.commonsvcs.runtime.ApiException:

at com.vmware.cloud.foundation.rest.commonsvcs.runtime.ApiClient.handleResponse(ApiClient.java:788)

at com.vmware.cloud.foundation.rest.commonsvcs.runtime.ApiClient.execute(ApiClient.java:708)

The /var/log/vmware/commonsvcs/vcf-commonsvcs.log file contains additional details that help identify the root cause of the failure.

[YYYY-MM-DDTHH:MM:SS] INFO  [common,684#######################4513e8,aa7e] [c.v.e.s.a.u.utils.DnsResolutionUtils,http-nio-127.0.0.1-7100-exec-6] Dns name <_sddc_fqdn>, resolved to IPs [127.0.0.1]

[YYYY-MM-DDTHH:MM:SS] ERROR [common,684#######################4513e8,aa7e] [c.v.e.s.a.u.utils.SslCertValidator,http-nio-127.0.0.1-7100-exec-6] Certificate validations failed

java.security.cert.CertificateException: Hostname in CN field [_sddc_fqdn] could not be resolved to an IP address of the SDDC manager [###.###.###.###]

        at com.vmware.evo.sddc.appliance.utilities.utils.SslCertValidator.validateCNAndSANDnsName(SslCertValidator.java:295)

        at com.vmware.evo.sddc.appliance.utilities.utils.SslCertValidator.validateCertChain(SslCertValidator.java:262)

        at com.vmware.evo.sddc.appliance.utilities.utils.SslCertValidator.validateCertsInChain(SslCertValidator.java:142)

        at com.vmware.evo.sddc.appliance.utilities.utils.SslCertValidator.performERICertValidations(SslCertValidator.java:133)

(Where _sddc_fqdn is the actual FQDN of the SDDC Manager and ###.###.###.### is the actual IP address of the SDDC Manager.)

DNS name resolution of the SDDC Manager is correct for both forward and reverse lookups.

Environment

VCF 5.2.x.x

Cause

During the SDDC Manager certificate replacement, the commonsvcs API is invoked, which performs a validation of the FQDN resolution provided in the certificate.
This validation fails because the DNS Java library was recently upgraded from version 2.1.9 to 3.6.3. The upgrade introduces significant API changes, which can cause DNS issues due to incompatibilities between the versions.

Resolution

Steps to perform before retrying the certificate replacement:

Take a snapshot of the SDDC Manager VM.
SSH to the SDDC Manager as the vcf user and switch to root.
Back up the /etc/hosts file:
cp /etc/hosts /etc/hosts.bak
Edit the /etc/hosts file:
vi /etc/hosts
Comment out the line where the SDDC Manager FQDN is mapped to 127.0.0.1 by adding # at the beginning of the line.
Example:

127.0.0.1 localhost.localdomain
127.0.0.1 localhost
127.0.0.1 photon# End /etc/hosts (network card version)
#127.0.0.1 FQDN_of_SDDC manager
- Retry the certificate replacement operation as mentioned in the KB: Replacing SDDC certificates with VMCA
After the certificate replacement is complete, the /etc/hosts file must be updated by uncommenting the entry that maps the <FQDN_of_SDDC_Manager> to 127.0.0.1.

Alternate Solution(if the above steps did not resolve the issue):

Take a snapshot of the SDDC Manager VM.
SSH to the SDDC Manager as the vcf user and switch to root.
Back up the /etc/hosts file:
cp /etc/hosts /etc/hosts.bak
Edit the /etc/hosts file:
vi /etc/hosts
Add the SDDC IPv4 address in the /etc/hosts file(Format: <IPv4> <FQDN> <Alias/Shortname>) above the local host entry
Example:
192.x.x.x example.domain.com example
127.0.0.1 localhost
Retry the certificate replacement operation as mentioned in the KB: Replacing SDDC certificates with VMCA