VCF Installer fails to add hosts during deployment due to hostname mismatch with subject alternative name
Article ID: 409537
Updated On:
Products
Issue/Introduction
This article provides steps to address the issue encountered during VMware Cloud Foundation Installation while validating ESX hosts to be added to management domain.The error message "javax.net.ssl.SSLPeerUnverifiedException: Certificate for <esx.example.com> doesn't match any of the subject alternative names: [localhost.localdomain]" and "Certificate for <esx.example.com> doesn't match any of the subject alternative names: [localhost.localdomain]"
Similar error message is seen in VCF Installer UI.
/var/log/vmware/vcf/domainmanager/domainmanager.log
YYYY-MM-DDTHH:MIN:SEC ERROR [vcf_dm,####,f722] [c.v.e.s.c.c.v.esx.EsxCommandExecutor,dm-exec-8] Failed to connect to <esx.example.com>com.vmware.vim.vmomi.client.exception.SslException: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <esx.example.com> doesn't match any of the subject alternative names: [localhost.localdomain] at com.vmware.vim.vmomi.client.common.impl.ResponseImpl.setError(ResponseImpl.java:265) at com.vmware.vim.vmomi.client.http.impl.HttpExchangeBase.setResponseError(HttpExchangeBase.java:369) at com.vmware.vim.vmomi.client.http.impl.HttpExchange.invokeWithinScope(HttpExchange.java:59) at com.vmware.vim.vmomi.core.tracing.NoopTracer$NoopSpan.runWithinSpanContext(NoopTracer.java:120) at com.vmware.vim.vmomi.client.http.impl.TracingScopedRunnable.run(TracingScopedRunnable.java:17) at com.vmware.vim.vmomi.client.http.impl.HttpExchangeBase.run(HttpExchangeBase.java:52) at com.vmware.vim.vmomi.client.http.impl.HttpProtocolBindingBase.executeRunnable(HttpProtocolBindingBase.java:229) at com.vmware.vim.vmomi.client.http.impl.HttpProtocolBindingImpl.send(HttpProtocolBindingImpl.java:128) at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl$CallExecutor.sendCall(MethodInvocationHandlerImpl.java:693) at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl$CallExecutor.executeCall(MethodInvocationHandlerImpl.java:674) at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl.completeCall(MethodInvocationHandlerImpl.java:371) at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl.invokeOperation(MethodInvocationHandlerImpl.java:322) at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl.invoke(MethodInvocationHandlerImpl.java:195) at jdk.proxy2/jdk.proxy2.$Proxy299.retrieveContent(Unknown Source) at com.vmware.evo.sddc.common.client.vmware.esx.EsxCommandExecutor.<init>(EsxCommandExecutor.java:144) at com.vmware.evo.sddc.common.client.vmware.esx.EsxCommandExecutorFactory.createEsxCommandExecutor(EsxCommandExecutorFactory.java:177) at com.vmware.evo.sddc.common.client.vmware.esx.EsxCommandExecutorFactory.createEsxCommandExecutor(EsxCommandExecutorFactory.java:155) at com.vmware.evo.sddc.common.client.vmware.esx.EsxCommandExecutorFactory.createEsxCommandExecutor(EsxCommandExecutorFactory.java:94) at com.vmware.vcf.vimanager.services.QuickStartNetworkProfileService.buildHostResource(QuickStartNetworkProfileService.java:188) at com.vmware.vcf.vimanager.services.QuickStartNetworkProfileService.fetchHostInfo(QuickStartNetworkProfileService.java:153) at com.vmware.vcf.vimanager.services.QuickStartNetworkProfileService.lambda$fetchHostInfos$0(QuickStartNetworkProfileService.java:136) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at com.vmware.vcf.common.tracing.TraceRunnable.run(TraceRunnable.java:63) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) at java.base/java.lang.Thread.run(Thread.java:840)Caused by: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <esx.example.com> doesn't match any of the subject alternative names: [localhost.localdomain] at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:507) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:437) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) at com.vmware.vim.vmomi.client.http.impl.HttpExchange.invokeWithinScope(HttpExchange.java:50) ... 23 common frames omitted
Environment
VCF 9.0
Cause
Resolution
To regenerate ESX host certificate please follow the steps mentioned in VCF 9.0 Documentation under the section Regenerate the Self-Signed Certificate on ESX Hosts
Additional Information
The suggested changes is part of ESX host preparation. For more details please refer to VCF 9.0 Documentation under a sub-section of Preparing ESX Hosts for VMware Cloud Foundation or vSphere Foundation
Feedback
