VCD vApp deployment fails with "CertificateException: No subject alternative DNS name matching <FQDN> found"
search cancel

VCD vApp deployment fails with "CertificateException: No subject alternative DNS name matching <FQDN> found"

book

Article ID: 423287

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

When deploying vApps or accessing VMware Cloud Director (VCD) via external automation tools or API clients, the connection fails during the SSL handshake.

Symptoms:

  • Error message: java.security.cert.CertificateException: No subject alternative DNS name matching <LB_FQDN> found.

  • The vcloud-container-debug.log may show handshake failures.

  • The Load Balancer FQDN does not resolve to an IP address (missing DNS A record).

  • Individual Cell certificates only contain the local hostname in the Subject Alternative Name (SAN) field.

Environment

10.3.3

Cause

The client-side Java Virtual Machine (JVM) performs strict hostname verification. The error occurs because the FQDN used to access the environment is missing from the SAN field of the certificate presented by the endpoint. This is compounded by the lack of a valid DNS entry for the Load Balancer VIP, preventing the client from establishing a trusted path to the service.

Resolution

 

  • Configure DNS:

    • Create a DNS 'A' record for the Load Balancer FQDN pointing to the NSX-T Load Balancer VIP.

  • Generate a Unified Certificate:

    • Generate a new Certificate Signing Request (CSR) that includes the Load Balancer FQDN as the Common Name (CN).

    • Include the Load Balancer FQDN and all Cell hostnames in the Subject Alternative Name (SAN) field.

  • Update VCD Cell Certificates:

    • Import the signed certificate into each VCD cell using the cell-management-tool:

    /opt/vmware/vcloud-director/bin/cell-management-tool certificates -j --cert /opt/vmware/vcloud-director/etc/user.consoleproxy.pem --key /opt/vmware/vcloud-director/etc/user.consoleproxy.key --key-password PASSWD
    /opt/vmware/vcloud-director/bin/cell-management-tool certificates -p --cert /opt/vmware/vcloud-director/etc/user.http.pem --key /opt/vmware/vcloud-director/etc/user.http.key --key-password PASSWD

    • Restart the vmware-vcd service on each cell:

      /opt/vmware/vcloud-director/bin/cell-management-tool cell -i $(service vmware-vcd pid cell) -s

systemctl start vmware-vcd

  • Configure NSX-T Load Balancer:

    • Ensure the Virtual Server on the NSX-T Load Balancer is configured with an SSL Profile and a Certificate that matches the unified FQDN.

    • If using SSL Passthrough, ensure all backend cells are using the new unified certificate.

  • Verify Public Addresses:

    • In the VCD Provider Portal, navigate to Administration > Settings > Public Addresses.

    • Verify the VCD Public REST API Base URL and VCD Public URL match the LB FQDN

 

Powered by Wolken Software