Existing components validation failed due to errors: Cannot connect to nsxmanager.example.com. Cause: Certificate for <nsxmanager.example.com> doesn't match any of the subject alternative names: [nsxmanagershortname]
search cancel

Existing components validation failed due to errors: Cannot connect to nsxmanager.example.com. Cause: Certificate for <nsxmanager.example.com> doesn't match any of the subject alternative names: [nsxmanagershortname]

book

Article ID: 419814

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

This validation error typically occurs during the Validate and Deploy phase of a VMware Cloud Foundation (VCF)  installation, particularly when VCF attempts to register or connect to the existing NSX Manager cluster.

Environment

VMware NSX

Cause

The core issue lies with the certificate presented by the NSX Manager Management Cluster Virtual IP (VIP)—which is the endpoint VCF is trying to connect to (e.g., nsxmanager.example.com).

  1. When VCF attempts to validate the fully qualified domain name (FQDN) of the NSX Manager cluster (e.g., nsxmanager.example.com), it checks the certificate's Subject Alternative Name (SAN) field.

  2. The certificate configured on the NSX Manager VIP (the MGMT_CLUSTER endpoint) only contains the short name (or a different, incorrect name) of the NSX Manager in its SAN list, such as [nsxmanagershortname].

  3. Because the requested FQDN (nsxmanager.example.com) does not match any entry in the certificate's SAN list, the connection fails with a certificate mismatch error, causing the VCF validation to halt.

Resolution

The resolution is to replace the certificate on the NSX Manager Management Cluster (MGMT_CLUSTER) VIP with a new one that correctly includes the FQDN (nsxmanager.example.com) in the Subject Alternative Name field.

Steps to Replace the Certificate on NSX-T

  • With admin privileges, log in to NSX Manager.
  • Navigate to System > Certificates.

    You see a list of all the certificates including, total certificates, certificates that are about to expire, and the certificates that are currently in use. All the certificates are arranged in different groups. You can also filter the certificates as per your requirements.
     
  • To replace multiple certificates, perform the following steps:
     
    Select the certificates you want to replace, and click Actions > Replace Certificates. (affected certificate)
     
  • In the Replace Certificates dialog box, for each certificate select the required option:
     
    Auto-generate Self Signed Certificate: Replaces the old certificate with a auto-generated self-signed certificate. This is the default option.
     
    Import Certificates: Imports signed certificates to replace the old certificate. You need to select this option from the drop-down menu.
     
    Generate Self Signed Certificate: Provides an option to create a self-signed certificate to replace the old certificate. You need to select this option from the drop-down menu.

    NOTE: Make sure the newly replacing certificate has the FQDN (nsxmanager.example.com) in the Subject Alternative Name field.
     
  • Click Save

     

    Additional Information

    Replace Certificates Through NSX Manager

    Powered by Wolken Software