VCF Installer fails to add hosts during deployment due to hostname mismatch with subject alternative name
Article ID: 409537
Updated On:
Products
Issue/Introduction
- This article provides steps to address the issue encountered during VMware Cloud Foundation Installation while validating ESX hosts to be added to the management domain. The error message
"javax.net.ssl.SSLPeerUnverifiedException: Certificate for <esx.example.com> doesn't match any of the subject alternative names: [localhost.localdomain]" and"Certificate for <esx.example.com> doesn't match any of the subject alternative names: [localhost.localdomain]"
"javax.net.ssl.SSLPeerUnverifiedException: Certificate for <esx-short-name> doesn't match any of the subject alternative names: ["esx.example.com]" andCertificate for <esx.example.com> doesn't match any of the subject alternative names: [esx.example.com]" - A similar error message is seen in the VCF Installer UI.
- The following error may be observed in
/var/log/vmware/vcf/domainmanager/domainmanager.log
ERROR [vcf_dm,####,f722] [c.v.e.s.c.c.v.esx.EsxCommandExecutor,dm-exec-8] Failed to connect to <esx.example.com>com.vmware.vim.vmomi.client.exception.SslException: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <esx.example.com> doesn't match any of the subject alternative names: [localhost.localdomain]
Environment
VCF 9.0
Cause
Once you have configured the ESX host's identity by providing a hostname, you must regenerate the self-signed certificate to ensure the correct common name is defined.
During the installation of ESX, the installer generates a self-signed certificate for each ESX host, but the process is performed prior to the ESX identity being configured. This means all ESX hosts have a common name in their self-signed certificate of localhost. localdomain. To ensure that the connection attempts and validation do not fail, you must manually regenerate the self-signed certificate after the hostname has been configured.
Resolution
Procedure: Generate ESX Host Certificate
1. Configure the Hostname and FQDN
Ensure the ESX host has a valid Fully Qualified Domain Name (FQDN) configured in the Direct Console User Interface (DCUI).
If the DNS name is incorrect or missing, update the hostname immediately.
Reference: Changing the hostname of an ESX host.
2. Validate FQDN via SSH
SSH into the ESX host.
Run the
hostnamecommand to verify that the FQDN is being returned correctly.
3. Regenerate the Certificate
Generate a new host certificate.
4. Reboot the Host
Reboot the ESX host directly from the DCUI to apply the changes.
Reference: Rebooting an ESX Server host.
5. Validate Certificate in Browser
Open a web browser and navigate to
https://esx-fqdn.example.com.Inspect the certificate in the browser settings.
Go to Details > Certificate Subject Alternative Name to confirm the correct FQDN is listed.
- NOTE: If, after following the procedure above to regenerate the self-signed certificates, the certificate still shows the default name, see the steps in the Additional Information below.
6. Finalize in VCF Installer
Return to the VMware Cloud Foundation (VCF) Installer.
Remove the hosts from the current list.
Re-enter the host FQDN.
Select "Confirm all signatures" and click Next.
Additional Information
The suggested changes are part of ESX host preparation. For more details, refer to VCF 9.0 Documentation under a sub-section of Preparing ESX Hosts for VMware Cloud Foundation or vSphere Foundation
If regenerating the self-signed certificates does not appear to be working, these additional steps may be necessary on the ESX host(s):
- Navigate to the SSL folder, run the command:
# cd /etc/vmware/ssl - Create a folder named Backup, run the command:
# mkdir backup - Move the existing SSL certificate files
(rui.crt and rui.key)to the backup folder, run the command:
# mv rui.* backup - Regenerate the new SSL certificates, run these commands:
# /sbin/generate-certificates.sh - Verify that the rui.* files were recreated in /etc/vmware/ssl.
- Restart management agents (services.sh restart). For more information, see Restarting the Management agents on an ESXi or ESX host (320280).
Feedback
