VCF 9.0.2 deployment fails. Existing components validation failed due to errors. Cannot connect to ######. Cause: Certificate for <######> doesn't match any of the subject alternative names [######]
search cancel

VCF 9.0.2 deployment fails. Existing components validation failed due to errors. Cannot connect to ######. Cause: Certificate for <######> doesn't match any of the subject alternative names [######]

book

Article ID: 437518

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

The below error occurs during VCF 9.0  deployment:

  • Existing components validation failed due to errors. Cannot connect to ######. Cause: Certificate for <######> doesn't match any of the subject alternative names [######]

Environment

VMware NSX 

VCF 9.0

Cause

The core issue lies with the certificate presented by the NSX Manager Management Cluster Virtual IP (VIP) which is the endpoint VCF is trying to connect to (e.g., nsxmanager.example.com).

  1. When VCF attempts to validate the fully qualified domain name (FQDN) of the NSX Manager cluster (e.g., nsxmanager.example.com), it checks the certificate's Subject Alternative Name (SAN) field.

  2. The certificate configured on the NSX Manager VIP (the MGMT_CLUSTER endpoint) only contains the short name (or a different, incorrect name) of the NSX Manager in its SAN list, such as [nsxmanagershortname].

  3. Because the requested FQDN (nsxmanager.example.com) does not match any entry in the certificate's SAN list, the connection fails with a certificate mismatch error, causing the VCF validation to halt.

Resolution

Update the NSX Manager Management Cluster (MGMT_CLUSTER) VIP certificate. The updated certificate requires the inclusion of nsxmanager.example.com in the Subject Alternative Name (SAN) attribute to resolve identity mismatches.

Procedure: Detailed execution steps are documented in Broadcom KB 419814.

 

 

Powered by Wolken Software