Certificate replacement fails in VCF Fleet Manager: "Public key in CSR and server certificate are not matching" across VCF Components

search cancel

Certificate replacement fails in VCF Fleet Manager: "Public key in CSR and server certificate are not matching" across VCF Components

book

Article ID: 430391

calendar_today

Updated On:

Products

VCF Operations

Issue/Introduction

When attempting to replace the certificate for VMware Cloud Foundation (VCF) components using Fleet Manager, the operation fails with the following error:

Certificate replacement for appliance <FQDN> has failed. Failed to perform specified operation on <COMPONENT_NAME>. Public key in CSR and server certificate are not matching.

Error in /var/log/vrlcm/vmware_vrlcm.log :

INFO vrlcm[1196] [http-nio-8080-exec-2] [c.v.v.l.l.c.CertificateStoreController]  -- Request received to import certificate with alias: <FQDN_1> and certificate chain 
----BEGINCERTIFICATE----
----ENDCERTIFICATE-----
INFO vrlcm[1196] [http-nio-8080-exec-2] [c.v.v.l.l.s.p.CertificateStoreService]  -- Validating import certificate request payload
INFO vrlcm[1196] [http-nio-8080-exec-2] [c.v.v.l.l.s.p.CertificateStoreService]  -- Certificate CN - <FQDN_2>
INFO vrlcm[1196] [http-nio-8080-exec-2] [c.v.v.l.l.s.p.CertificateStoreService]  -- Fetching all CSRs with CN - <FQDN_2> and check whether the public key match between Certificate and CSR
INFO vrlcm[1196] [http-nio-8080-exec-2] [c.v.v.l.l.s.p.CertificateStoreService]  -- No CSR found for CN <FQDN_2> in locker
INFO vrlcm[1196] [http-nio-8080-exec-2] [c.v.v.l.l.s.p.CertificateStoreService]  -- Certificate valid - true
INFO vrlcm[1196] [http-nio-8080-exec-2] [c.v.v.l.l.s.p.CertificateStoreService]  -- Importing certificate with alias: <FQDN_1>
INFO vrlcm[1196] [http-nio-8080-exec-2] [c.v.v.l.l.s.p.CertificateStoreService]  -- Validated certificate <CERTIFICATE_THUMBPRINT>
ERROR vrlcm[1196] [http-nio-8080-exec-2] [c.v.v.l.l.c.CertificateStoreController]  -- Failed to import certificate. Error: Certificate with alias '<FQDN_1>' already exists.

Environment

VCF Operations 9.x
VCF Fleet Management 9.x

Cause

This issue occurs when there is a mismatch between the CSR generated and the certificate being applied to a specific component.

As observed in the logs, the system might retrieve a CSR generated specifically for one component (Eg: ESXi) but the certificate replacement is being pushed using CSR generated for a different component (Eg: SDDC). Because the public key embedded in the signed certificate does not match the public key in the CSR that the system is referencing for that component, the validation fails.

Resolution

To resolve this issue, you must ensure a strict 1:1 relationship between the CSR generated and the certificate applied for every single component.

Depending on the requirement, Follow the steps mentioned below to replace certificates for VCF Components:

Replace a Certificate with a CA-Signed Certificate
Replace a Certificate with an External CA-Signed Certificate

Feedback

thumb_up Yes

thumb_down No