"Previous MACHINE_SSL_CERT Subject Alternative Name does not match new MACHINE_SSL_CERTIFICATE Subject Alternative Name" error while replacing vCenter Server Machine SSL Certificate
search cancel

"Previous MACHINE_SSL_CERT Subject Alternative Name does not match new MACHINE_SSL_CERTIFICATE Subject Alternative Name" error while replacing vCenter Server Machine SSL Certificate

book

Article ID: 322262

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
  • Using certificate manager to replace an Machine SSL certificate with a new custom, CA signed certificate fails with below error message:

Previous MACHINE_SSL_CERT Subject Alternative Name does not match new MACHINE_SSL_CERTIFICATE Subject Alternative Name

  • In the certificate-manager.log file, you will see entries similar to:

    2017-05-18T18:47:26.132Z INFO certificate-manager MACHINE_SSL_CERT certificate replaced successfully. SerialNumber and Thumbprint changed.
    2017-05-18T18:47:26.545Z ERROR certificate-manager Previous MACHINE_SSL_CERT Subject Alternative Name does not match new MACHINE_SSL_CERTIFICATE Subject Alternative Name
    2017-05-18T18:47:26.545Z INFO certificate-manager Performing rollback of Machine SSL Cert...


    The vSphere 6.x Certificate Manager stores a certificate-manager.log file in these locations:
    • Windows vCenter Server 6.x: C:\ProgramData\VMware\vCenterServer\logs\vmca\certificate-manager.log
    • vCenter Server Appliance 6.x: /var/log/vmware/vmcad/certificate-manager.log


Environment

VMware vCenter Server Appliance 6.0.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server 6.5.x
VMware vCenter Server 6.7.x
VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 6.5.x

Cause

The behavior is caused by a mismatch of the machine PNID listed in the Subject Alternative Name (SAN) field of the existing MACHINE_SSL_CERTIFICATE and the replacement certificate. The PNID is equal to the System Name parameter input during deployment of vCenter. The System Name can either be a Fully Qualified Domain Name (FQDN) or an IP address.

Prior to vCenter Server 6.5 U2 and vCenter Server 6.0 Patch 7, there was an issue which displayed this behavior due to any mismatch of case or value between the SAN entries. This can include extra fields as well.
 
For example:

Old certificate SAN:
IP Address=10.10.10.122
DNS Name=vcenter65.example.com
 
New certificate SAN:
IP Address=10.10.10.123
DNS Name=VCENTER65.example.com
DNS Name=vcenter65
[email protected]


 

Resolution

This issue is resolved in below vCenter Server builds :
VMware vCenter Server 6.0 Update 3g available at Broadcom Downloads.
VMware vCenter Server 6.5 Update 2 available at Broadcom Downloads.
VMware vCenter Server 6.7.0c available at Broadcom Downloads.
 
 



Workaround:
To work around this issue, regenerate the certificate with the same case and values as the old Machine SSL Certificate.

This issue can happen on the builds mentioned in Resolution section as well, if the new Machine SSL Certificate does not contain the PNID in the SAN field. Regenerate the certificate with correct PNID in the SAN field to resolve the issue. Refer to Related Information in this article to verify the PNID and Subject Alternate Names.

Additional Information

  • To display the PNID of a vCenter Server Appliance, log in to the vCenter Server and run below command:
vCenter Server Appliance:
/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost

Windows vCenter Server:
C:\Program Files\VMware\vCenter Server\vmafdd\vmafd-cli get-pnid --server-name localhost

 

  • Run the following command to check the Subject Alternative Name field of the existing Machine SSL Certificate.
vCenter Server Appliance:
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT --text | grep -A1 Alternative

Windows vCenter Server:
C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli entry list --store MACHINE_SSL_CERT --text
  • Run the following command to check the Subject Alternative Name field and the value of the DNS Name of Certificate.
 
openssl x509 -in <path_to_certificate_file> -noout -text | grep -A1 Alternative 

For example:

openssl x509 -in mycert.crt -noout -text | grep -A1 Alternative 
X509v3 Subject Alternative Name: 
DNS:myserver.example.com, DNS:myserver