Could not connect to one or more vCenter Server Systems: https://vCenterFQDN:443/sdk" error in the vSphere Client due to additional SAN entry in certificate.
search cancel

Could not connect to one or more vCenter Server Systems: https://vCenterFQDN:443/sdk" error in the vSphere Client due to additional SAN entry in certificate.

book

Article ID: 419342

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Login to the vCenter server doesn't show the partner node in ELM(Enhanced linked mode) and a banner will be appeared in console with message " Could not connect to one or more vCenter Server systems: https://vcenterfqdn:443/sdk"

  • All services on vCenter servers are started however partner node is not visible when logging into the console. 
  • When checking the vmdird-syslog.log located under /var/log/vmware/vmdird have these entries: 
    YYYY-MM-DDTHH:MM:SS. #####+##:## err vmdird t@139669677221632: SASLSessionStart: sasl error (-20) (SASL (-13) : user not found: no secret in database)
    YYYY-MM-DDTHH:MM:SS. #####+##:## err vmdird t@139669677221632: VmDirSendLdapResult: Request (Bind), Error (LDAP_INVALID CREDENTIALS (49) ) , Message ( (49) (SASL start failed.) ), (0) socket (IP_address)
  • Machine account is present in AD server that matching with the FQDN of vCenter server. 
  • Two entries with upper and lower case of vCenter FQDN are present in Subject Alternative Name (SAN) when executing command: /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT --text | grep -A1 Alternative

Environment

vCenter server 7.x

vCenter server 8.x 

Cause

This issue can occur due to the presence of additional entry in the Subject Alternative Name (SAN) field of machine SSL certificate as part of previous certificate replacement.

Subject Alternative Name (SAN) contains FQDN of vCenter server both in upper case and lower case. 

 

Resolution

  • To resolve this issue, regenerate certificate using vCert with correct hostname of vCenter server after verifying the hostname and PNID(Primary Network Identifier). 
  • Select option:6 to Reset all certificates with VMCA-signed certificates in vCert tool. 
  • Take SSH to vCenter server and check hostname: hostname -f
  • To verify the current PNID, run the following command:
    /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost
  • Run the following command to check the Subject Alternative Name field of the updated Machine SSL Certificate.
    /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT --text | grep -A1 Alternative


Note: Ensure availability of powered off snapshot of all the nodes in ELM before start with the certificate replacement. 

Powered by Wolken Software