This article describes common errors that may occur when attaching a foundation to VMware Tanzu Hub using the Automated attach workflow, and provides resolution steps.

When attaching a foundation through the Tanzu Hub UI, one of the following errors may be displayed:

• “Foundation already exists with this name”

• “Invalid passcode”

• “Invalid Foundation credential”

Tanzu Hub

Issue 1: “Foundation already exists with this name”

Symptom

After entering a value in Foundation Name, the UI displays:

Foundation already exists with this name

This can be confusing because the foundation may not appear in the Foundations list under the Overview tab.

Cause

A previous attach attempt already created a foundation record in Tanzu Hub (including pending/failed attach states). In some failure scenarios, the foundation record may not be visible in the Overview list but is still present under the Manage connection view.

How to confirm

1. In Tanzu Hub UI, navigate to Foundations.

2. Click Manage connection.

3. Look for an existing entry corresponding to the foundation name.

Resolution

• If the foundation is listed in Manage connection, use that entry to continue/repair the connection rather than creating a new one with the same name.

• If the foundation is stuck in a failed/partial state, remove/detach it from Manage connection (if supported in your environment), then retry the attach.

Issue 2: “Invalid passcode”

Symptom

After entering the passcode, the UI displays:

Invalid passcode

Cause

One of the following:

• The passcode entered is incorrect.

• The passcode has expired (time-limited token).

Resolution

• Generate a new passcode from the foundation side (per your attach process) and retry.

• Ensure the passcode is copied exactly (avoid whitespace, truncation, clipboard issues).

Issue 3: “Invalid Foundation credential.”

Symptom

After entering/uploading the certificate for the foundation credential, the UI displays:

Invalid Foundation credential.

Common cause

A frequent underlying cause is TLS hostname verification failure, for example when the certificate presented by the foundation endpoint does not include the hostname in its Subject Alternative Name (SAN).

This often presents in backend logs as a Java exception similar to:

• java.security.cert.CertificateException: No name matching <hostname> found

Resolution (identify the exact TLS error in Hub backend logs)

To determine the exact cause, review Tanzu Hub GraphQL/provider logs.

Prerequisite: Access to Tanzu Hub Kubernetes pod logs.
See: KB: How to access Kubernetes pod logs in Tanzu Hub for troubleshooting 

Steps

1. SSH into the registry VM in the Tanzu Hub deployment (the VM preconfigured with kubectl and permissions).

2. Identify the provider pod (commonly in the tanzusm namespace):

   • graphql-rest-provider-service-*

3. Follow logs while reproducing the attach attempt:

kubectl -n tanzusm get pods | grep graphql-rest-provider-service 
kubectl -n tanzusm logs -f <graphql-rest-provider-service-pod-name>

4. Retry the attach operation in the Tanzu Hub UI and observe the log output.

Interpretation and fix guidance

• If logs show No name matching <hostname> found:

  • The certificate presented by the foundation endpoint does not include the hostname Hub is using.

  • Fix by ensuring the foundation endpoint presents a server/leaf certificate with SAN including the exact URL hostname entered in the attach workflow (for example opsmgrXX-...example.net).

  • Confirm using:

     

    openssl s_client -connect <hostname>:443 -servername <hostname> </dev/null 2>/dev/null | openssl x509 -noout -ext subjectAltName

• If logs show unable to find valid certification path to requested target:

  • Tanzu Hub is unable to build a trusted certificate chain between the foundation endpoint’s server certificate and the CA certificate provided during automated attach.

  • This typically indicates that an incorrect or unrelated CA certificate was supplied (for example, a CA from a different foundation or an incomplete certificate chain).

  • Provide the correct CA certificate (and any required intermediate certificates) that signed the foundation endpoint’s server certificate.

Issue 4: “hub collector is already installed: hub-tas-collector-####################”

Symptom

During automated foundation attach, the attach operation fails with the following error:

hub collector is already installed: hub-tas-collector-####################

Tanzu Hub detected that the Platform Services component responsible for deploying the Hub collector is already installed on the target foundation.

Although the error message references the collector directly, the underlying condition is that the Platform Services tile is already present on the foundation.

Common cause

Tanzu Hub detected that Platform Services, which is responsible for deploying the Hub collector, is already installed on the target foundation.

This can occur when:

• A previous automated attach attempt partially succeeded.

• Platform Services was installed manually.

• The collector deployment was removed, but the Platform Services tile remains installed.

Resolution

• Check whether Platform Services is already installed on the foundation (for example, in the Ops Manager installation dashboard).

• If Platform Services is present and a fresh automated attach is required, remove the Platform Services tile, apply changes, and retry the attach.

• Alternatively, reuse or repair the existing foundation connection rather than creating a new one.

Note:

The error message is misleading. A more accurate message would be:

“Platform Services is already installed: hub-tas-collector-####################”