When attempting to configure an offline depot https server in VCF 9.0 installer, the following error is displayed,

Secure protocol communication error, check logs for more details

The issue persists even after importing the offline depot https server certificate into the VCF installer trust store as described in KB 316056

• VCF 9.0 installer appliance

• Offline depot hosted on an https server

• Self-signed or CA-signed certificates

The issue is caused by a mismatch between:

• The hostname or IP address used during connection, and
• The certificate’s Common Name (CN) and/or Subject Alternative Name (SAN) entries.

VCF Installer performs strict TLS hostname validation. Even if the certificate is trusted, the TLS handshake will fail if the connection target does not match the CN or SAN fields in the certificate.

Supported certificate configuration 1 (Recommended)

• CN = FQDN
• SAN includes:
  
  DNS: FQDN
  IP: x.x.x.x
  
  
• In this configuration, the VCF 9.0 installer can connect to the offline offline depot using either FQDN or IP address

Supported certificate configuration 2

• CN = FQDN
• SAN includes:
  
  DNS: FQDN
  (No IP entry)
  
  
• In this configuration, the VCF 9.0 installer can connect to the offline offline depot using FQDN only.
• Connection using IP address fails with "Secure protocol communication error, check logs for more details."

Unsupported certificate configuration 1

• CN = IP address

• The connection fails when using either the FQDN or the IP address.

Unsupported certificate configuration 2

• CN is empty

• Certificate does not identify any subject

• TLS validation fails in all cases

Ensure that the offline depot https server certificate is configured according to the following requirements:

• CN (Common Name) must be the FQDN of the offline depot server.

• SAN (Subject Alternative Name) should include:

  • DNS: <FQDN>

  • IP: <IP address> (optional)

• The FQDN and IP address used in the VCF installer must exactly match the values specified in the certificate’s CN and SAN fields.

• If the offline depot server has no FQDN defined and there is no permission to modify DNS, use a custom FQDN to generate the server certificate. Then edit the file /etc/hosts on the VCF installer appliance to add an Hostname-to-IP mapping, for example,
  
  <IP address> <FQDN>

Verification Steps

1. Verify certificate on the offline depot server

• On the Offline Depot HTTPS server, run the command
  
  
  openssl x509 -in server.crt -text -noout
   
• Confirm that,
  
  CN is set to the FQDN

  
  SAN includes the required DNS (and IP, if applicable) entries

2. Verify certificate using a web browser

• Open a browser and navigate to:

  https://<FQDN>:<port> 

   

• Click the padlock icon in the address bar.

• Select "Connection secure" or "Connection not secure", then "More information" (depending on browser).

• View the certificate details.

• Verify:

  • The Common Name (CN) matches the FQDN used.

  • The Subject Alternative Name (SAN) includes the expected DNS (and IP, if configured).

  • The FQDN used in the URL must match the CN or a SAN DNS entry in the certificate.