Replacing SDDC manager certificates with custom certs failed with " Could not resolve the hostname"
Article ID: 405034
Updated On:
Products
Issue/Introduction
- /var/log/vmware/vcf/operationsmanager/operationsmanager.log
Description - The certificate installation is failing because of a Java runtime exception. Below is the error logged for the certificate installation.
YYYY-MM-DDTHH:MM:SS ERROR [vcf_om,] [c.v.v.c.s.SddcManagerCertificatePluginService,om-exec-xx] SDDC Manager Certificate Replacement failed: - /var/log/vmware/vcf/commonsvcs/vcf-commonsvcs.log
YYYY-MM-DDTHH:MM:SS ERROR [common,] [c.v.e.s.a.u.NginxCertUtilityImpl,http-nio-127.0.0.1-####-exec-X] Problems parsing certificate
com.vmware.evo.sddc.appliance.utilities.error.CertValidatorException: Error while validating certificate
Caused by: java.security.cert.CertificateException: Could not resolve the hostname [SDDC_FQDN:Secondary_FQDN ] to an ip address
YYYY-MM-DDTHH:MM:SS ERROR [common,] [c.v.e.s.e.h.LocalizableRuntimeExceptionHandler,http-nio-127.0.0.1-###-exec-X] [####] CERT_REPLACEMENT_FAILED Cannot replace existing certificate with the input cert. Validations did not pass.
Make sure the input cert chain is valid. The structure must be:
server cert followed by intermediate certs followed by CA cert
OR
A self signed server cert
All certs in the chain must conform to X.509 standards.
Also make sure that the DNS name in both the CN field and the optional Subject Alternative Name extension, is a resolvable hostname
com.vmware.evo.sddc.appliance.utilities.error.ApplianceManagerException: Cannot replace existing certificate with the input cert. Validations did not pass.
Make sure the input cert chain is valid. The structure must be:
server cert followed by intermediate certs followed by CA certEnvironment
VMware Cloud Foundation 5.x
Cause
The FQDN provided during the certificate creation process does not resolve to an IP address in DNS
Resolution
Option 1: Validate DNS Resolution
-
What to Do:
Check with your internal team to make sure all domain names in the CN and SAN fields of the certificate can be resolved by DNS. -
How to do:
To view the certificates associated with a specific workload domain, follow the steps below:
-
In the navigation pane, go to Inventory > Workload Domains.
-
On the Workload Domains page, locate the domain you want to inspect in the Domain column and click its name.
-
On the domain's Summary page, select the Certificates tab.
The Certificates tab displays all certificates related to the selected workload domain, grouped by resource type. For each certificate, the following information is provided:
-
Resource Type
-
Issuer (Certificate Authority name)
-
Resource Hostname
-
Valid From date
-
Valid Until date
-
Certificate Status (Active, Expiring, or Expired)
-
Certificate Operation Status
To view additional certificate details, expand the desired resource in the Resource Type column.
-
- For more details please find here: View Certificate Information
Option 2: Regenerate the Certificate
-
What to Do:
Create a new certificate that only includes domain names (CN and SAN) that can be resolved in DNS. -
How to do it:
Please follow the steps below to generate a certificate:-
Step 1: Access the Workload Domain
-
In the navigation pane, go to Inventory > Workload Domains.
-
On the Workload Domains page, locate and click the name of the workload domain you want to manage.
-
On the Domain Summary page, click the Certificates tab.
Step 2: Generate Certificate Signing Requests (CSRs)
-
From the certificate table, select the checkbox next to the resource type for which you want to generate a CSR.
-
Click Generate CSRs to open the Generate CSRs wizard.
Step 3: Configure CSR Details
-
In the Details dialog:
-
Algorithm: Select the key algorithm (e.g., RSA).
-
Key Size: Choose from 2048, 3072, or 4096 bits.
-
Email: (Optional) Provide a contact email address.
-
Organizational Unit: Enter the relevant department/division.
-
Organization Name: Enter the legally registered name of the company.
-
Locality: Provide the city where the organization is registered.
-
State: Enter the full name of the state or region (no abbreviations).
-
Country: Enter the ISO 3166 country code.
-
-
Click Next.
Step 4: Enter Subject Alternative Names (Optional)
-
In the Subject Alternative Name dialog, enter one or more SAN entries separated by comma, semicolon, or space.
Note: Avoid using wildcard entries (e.g.,
*.example.com). For NSX, include SANs for each node and the primary virtual IP. -
Click Next.
Step 5: Generate and Download CSRs
-
Review your settings on the Summary page, then click Generate CSRs.
-
Click Download CSR and save the files locally.
-
Submit each CSR file to your third-party Certificate Authority (CA) to obtain signed certificates.
Step 6: Upload and Install Signed Certificates
-
Once you receive the signed certificates, return to the Certificates tab in the SDDC Manager UI.
-
Click Upload and Install.
-
In the Install Signed Certificates dialog:
-
Select the appropriate resource from the dropdown (must match previously generated CSRs).
-
Choose the certificate Source:
-
Paste Text: Paste the server certificate and CA chain in PEM format.
-
File Upload: Browse and upload server and CA certificate files (.crt, .cer, .pem, .p7b, .p7c).
-
Certificate Chain: Upload the full chain if required.
-
Step 7: Validate and Complete Installation
-
Click Validate.
-
If validation fails, resolve the issue and retry or click Remove to skip.
-
To install certificates for additional resources, click Add Another and repeat Steps 13–16.
-
Once all certificates are validated successfully, click Install.
-
-
- For more details please find here:Install Third-Party CA-Signed Certificates Using Server Certificate and Certificate Authority Files
Feedback
