VCF Installer fails to add hosts during deployment due to hostname mismatch with subject alternative name

search cancel

VCF Installer fails to add hosts during deployment due to hostname mismatch with subject alternative name

book

Article ID: 409537

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

This article provides steps to address the issue encountered during VMware Cloud Foundation Installation while validating ESX hosts to be added to management domain.The error message

"javax.net.ssl.SSLPeerUnverifiedException: Certificate for <esx.example.com> doesn't match any of the subject alternative names: [localhost.localdomain]" and "Certificate for <esx.example.com> doesn't match any of the subject alternative names: [localhost.localdomain]"

"javax.net.ssl.SSLPeerUnverifiedException: Certificate for <esx-short-name> doesn't match any of the subject alternative names: [esx.example.com]" and "Certificate for <esx.example.com> doesn't match any of the subject alternative names: [esx.example.com]"
Similar error message is seen in VCF Installer UI.

Errors are also recorded in domainmanager.log:

/var/log/vmware/vcf/domainmanager/domainmanager.log

YYYY-MM-DDTHH:MIN:SEC ERROR [vcf_dm,####,f722] [c.v.e.s.c.c.v.esx.EsxCommandExecutor,dm-exec-8] Failed to connect to <esx.example.com>
com.vmware.vim.vmomi.client.exception.SslException: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <esx.example.com> doesn't match any of the subject alternative names: [localhost.localdomain]

Environment

VCF 9.0

Cause

Once you have configured the

ESX

hosts' identity by providing a hostname you must regenerate the self-signed certificate to ensure the correct common name is defined.

During the installation of

ESX

, the installer generates a self-signed certificate for each

ESX

host but the process is performed prior to the

ESX i

dentity being configured. This means all

ESX

hosts have a common name in their self-signed certificate of

localhost.localdomain

. To ensure that the connection attempts and validation does not fail, you must manually regenerate the self-signed certificate after hostname has been configured.

Resolution

Procedure: Generate ESX Host Certificate

1. Configure the Hostname and FQDN

- Ensure the ESX host has a valid Fully Qualified Domain Name (FQDN) configured in the Direct Console User Interface (DCUI).
- If the DNS name is incorrect or missing, update the hostname immediately.
  - Reference: Changing the hostname of an ESX host.

2. Validate FQDN via SSH

- SSH into the ESX host.
- Run the hostname command to verify that the FQDN is being returned correctly.

3. Regenerate the Certificate

- Generate a new host certificate.
  - Reference: Regenerate the Self-Signed Certificate on ESX Hosts.

4. Reboot the Host

- Reboot the ESX host directly from the DCUI to apply the changes.
  - Reference: Rebooting an ESX Server host.

5. Validate Certificate in Browser

- Open a web browser and navigate to https://esx-fqdn.example.com.
- Inspect the certificate in the browser settings.
- Go to Details > Certificate Subject Alternative Name to confirm the correct FQDN is listed.

6. Finalize in VCF Installer

- Return to the VMware Cloud Foundation (VCF) Installer.
- Remove the hosts from the current list.
- Re-enter the host FQDN.
- Select "Confirm all signatures" and click Next.

Additional Information

The suggested changes is part of ESX host preparation. For more details please refer to VCF 9.0 Documentation under a sub-section of Preparing ESX Hosts for VMware Cloud Foundation or vSphere Foundation

Feedback

thumb_up Yes

thumb_down No