Symptoms

You may be experiencing the following symptoms:

• You have recently replaced the SSL certificate on your load balancer (such as NSX-T or AVI) that fronts your VMware Identity Manager (vIDM) / Workspace ONE Access cluster.
• After the change, when you view the vIDM health check page, or other pages like Identity and Access Management, you see multiple new errors related to cluster health and unexpected error messages in the UI.
• When you review the configurator.log file on the vIDM appliances, you find repeated errors indicating a mismatch between the VIP address and the subject alternative names (SANs) on the certificate.

Example log error:

ERROR (Configurator) [,,,,] com.vmware.horizon.configurator.APIServer - javax.net.ssl.SSLPeerUnverifiedException: Certificate for <VIP_ADDRESS> doesn't match any of the subject alternative names: [DIFFERENT_FQDN_1, DIFFERENT_FQDN_2]

VMware Identity Manager (vIDM) 3.3.x

NSX-T Load Balancer

This issue is caused by applying an incorrect or improperly configured SSL certificate to the NSX-T load balancer's virtual server for the vIDM cluster.

The certificate's Subject Alternative Names (SANs) do not include the required FQDNs for the vIDM environment it is protecting. For example, a certificate intended for a different environment may have been uploaded by mistake. The health check fails because the vIDM nodes cannot validate the identity of the load balancer VIP, as its address is not listed in the certificate presented by NSX-T.

To resolve this issue, you must replace the incorrect certificate in the NSX-T load balancer configuration with one that is correctly configured for the vIDM cluster.

1. Obtain a Correct Certificate:

   • Ensure you have a valid SSL certificate where the Subject Alternative Names (SANs) list includes the FQDNs for the load balancer VIP and each individual vIDM node in the cluster. This can be found in Aria Suite Lifecycle: Replace your vIDM certificate

2. Update the Certificate in NSX-T:

   • The procedure for updating the certificate in the NSX-T virtual server involves uploading the new certificate (including the full chain) to the NSX-T certificate store and then associating it with the vIDM virtual server's SSL configuration.

   • For a detailed, step-by-step guide on this process, follow the procedure outlined in the Broadcom Knowledge Base article: How to replace the certificate on an NSX-T Load balancer for a vIDM Cluster.

3. Verify the Resolution:

   • Once the correct certificate is applied in NSX-T, the cluster health errors on the vIDM health page should clear automatically after a few minutes.

   • You can also tail the /opt/vmware/horizon/workspace/logs/configurator.log file on the vIDM nodes to confirm that the SSL peer unverified exceptions are no longer occurring.