"Previous MACHINE_SSL_CERT Subject Alternative Name does not match new MACHINE_SSL_CERTIFICATE Subject Alternative Name" error while replacing vCenter Server Machine SSL Certificate
Article ID: 322262
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
- Using certificate manager to replace an Machine SSL certificate with a new custom, CA signed certificate fails with below error message:
Previous MACHINE_SSL_CERT Subject Alternative Name does not match new MACHINE_SSL_CERTIFICATE Subject Alternative Name
- In the certificate-manager.log file, you will see entries similar to:
2017-05-18T18:47:26.132Z INFO certificate-manager MACHINE_SSL_CERT certificate replaced successfully. SerialNumber and Thumbprint changed.
2017-05-18T18:47:26.545Z ERROR certificate-manager Previous MACHINE_SSL_CERT Subject Alternative Name does not match new MACHINE_SSL_CERTIFICATE Subject Alternative Name
2017-05-18T18:47:26.545Z INFO certificate-manager Performing rollback of Machine SSL Cert...
The vSphere 6.x Certificate Manager stores a certificate-manager.log file in these locations:- Windows vCenter Server 6.x: C:\ProgramData\VMware\vCenterServer\logs\vmca\certificate-manager.log
- vCenter Server Appliance 6.x: /var/log/vmware/vmcad/certificate-manager.log
Environment
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server 6.5.x
VMware vCenter Server 6.7.x
VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server 6.5.x
VMware vCenter Server 6.7.x
VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 6.5.x
Cause
The behavior is caused by a mismatch of the machine PNID listed in the Subject Alternative Name (SAN) field of the existing MACHINE_SSL_CERTIFICATE and the replacement certificate. The PNID is equal to the System Name parameter input during deployment of vCenter. The System Name can either be a Fully Qualified Domain Name (FQDN) or an IP address.
Prior to vCenter Server 6.5 U2 and vCenter Server 6.0 Patch 7, there was an issue which displayed this behavior due to any mismatch of case or value between the SAN entries. This can include extra fields as well.
Prior to vCenter Server 6.5 U2 and vCenter Server 6.0 Patch 7, there was an issue which displayed this behavior due to any mismatch of case or value between the SAN entries. This can include extra fields as well.
For example:
Old certificate SAN:
IP Address=10.10.10.122
DNS Name=vcenter65.vmware.com
New certificate SAN:
IP Address=10.10.10.123
Resolution
This issue is resolved in below vCenter Server builds :
VMware vCenter Server 6.0 Update 3g available at VMware Downloads.
VMware vCenter Server 6.5 Update 2 available at VMware Downloads.
VMware vCenter Server 6.7.0c available at VMware Downloads.
VMware vCenter Server 6.0 Update 3g available at VMware Downloads.
VMware vCenter Server 6.5 Update 2 available at VMware Downloads.
VMware vCenter Server 6.7.0c available at VMware Downloads.
Workaround:
To work around this issue, regenerate the certificate with the same case and values as the old Machine SSL Certificate.
This issue can happen on the builds mentioned in Resolution section as well, if the new Machine SSL Certificate does not contain the PNID in the SAN field. Regenerate the certificate with correct PNID in the SAN field to resolve the issue. Refer to Related Information in this article to verify the PNID and Subject Alternate Names.
Additional Information
- To display the PNID of a vCenter Server Appliance, log in to the vCenter Server and run below command:
vCenter Server Appliance:
/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost
Windows vCenter Server:
C:\Program Files\VMware\vCenter Server\vmafdd\vmafd-cli get-pnid --server-name localhost
/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost
Windows vCenter Server:
C:\Program Files\VMware\vCenter Server\vmafdd\vmafd-cli get-pnid --server-name localhost
- Run the following command to check the Subject Alternative Name field of the existing Machine SSL Certificate.
vCenter Server Appliance:
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT --text | grep -A1 Alternative
Windows vCenter Server:
C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli entry list --store MACHINE_SSL_CERT --text
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT --text | grep -A1 Alternative
Windows vCenter Server:
C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli entry list --store MACHINE_SSL_CERT --text
- Run the following command to check the Subject Alternative Name field and the value of the DNS Name of Certificate.
openssl x509 -in <path_to_certificate_file> -noout -text | grep -A1 Alternative
For example:
openssl x509 -in mycert.crt -noout -text | grep -A1 Alternative
X509v3 Subject Alternative Name:
DNS:myserver.mydomain.com, DNS:myserver
For example:
openssl x509 -in mycert.crt -noout -text | grep -A1 Alternative
X509v3 Subject Alternative Name:
DNS:myserver.mydomain.com, DNS:myserver
Feedback
Yes
No
Powered by
