VCF 9.x Host Validation Fails with SSL Thumbprint Mismatch due to Blocked DNS Traffic (Port 53)
search cancel

VCF 9.x Host Validation Fails with SSL Thumbprint Mismatch due to Blocked DNS Traffic (Port 53)

book

Article ID: 441245

calendar_today

Updated On:

Products

VMware SDDC Manager / VCF Installer

Issue/Introduction

During the bring-up phase of VMware Cloud Foundation (VCF) 9.x, the host validation process fails with the following error in the VCF Installer UI:

The provided thumbprints for the following products do not match with their actual thumbprints. Products: [ESXi_FQDN]

Additionally, the following symptoms may be observed:

  • Error connecting to ESX Host [ESXi_FQDN]
  • The hosts are responsive to ping, but the installer cannot complete the SSL handshake during validation.

Environment

VCF 9.x

Cause

This issue occurs because the VCF Installer appliance is unable to resolve the FQDNs of the ESXi hosts. While the thumbprints provided in the deployment specification (JSON) may be correct, the installer must retrieve the 'actual' thumbprint from the host to perform a comparison.

If Port 53 (DNS) is blocked by a firewall between the VCF Installer and the DNS server, the installer cannot resolve the hostnames, causing the validation engine to report a mismatch or connection failure.

Resolution

To resolve this issue, ensure proper network connectivity and DNS resolution from the VCF Installer appliance.

1. Verify DNS Connectivity

Ensure that Port 53 (UDP/TCP) is open on the firewall between the VCF Installer and the DNS servers.

2. Test DNS Port Connectivity (TCP 53)

Log into the VCF Installer appliance console via SSH or VM console and verify that it can resolve the ESXi host FQDN

Run the following command to check if the DNS server is reachable on port 53: curl -v telnet://[DNS_IP_ADDRESS]:53

  • Successful Output: Look for a line saying Connected to [DNS_IP_ADDRESS] port 53. The session will remain open; use Ctrl+C to exit Using Curl to test port connectivity in VMware vCenter Server Appliance.
  • Failed Output: If the connection is blocked or refused, you will see Connection refused or a timeout error 

If the command returns a 'connection timed out' or 'could not contact DNS server' error, the firewall is likely blocking the traffic.

3. Re-run Validation

Once the network team has allowed Port 53 and name resolution is confirmed successful on the appliance, return to the VCF Installer UI and click Retry Validation.

Powered by Wolken Software