OPERATIONAL DEFECT DATABASE
...
...
Using certificate manager to replace an Machine SSL certificate with a new custom, CA signed certificate fails with below error message: Previous MACHINE_SSL_CERT Subject Alternative Name does not match new MACHINE_SSL_CERTIFICATE Subject Alternative Name In the certificate-manager.log file, you will see entries similar to: 2017-05-18T18:47:26.132Z INFO certificate-manager MACHINE_SSL_CERT certificate replaced successfully. SerialNumber and Thumbprint changed. 2017-05-18T18:47:26.545Z ERROR certificate-manager Previous MACHINE_SSL_CERT Subject Alternative Name does not match new MACHINE_SSL_CERTIFICATE Subject Alternative Name 2017-05-18T18:47:26.545Z INFO certificate-manager Performing rollback of Machine SSL Cert... The vSphere 6.x Certificate Manager stores a certificate-manager.log file in these locations: Windows vCenter Server 6.x: C:\ProgramData\VMware\vCenterServer\logs\vmca\certificate-manager.logvCenter Server Appliance 6.x: /var/log/vmware/vmcad/certificate-manager.log
The behavior is caused by a mismatch of the machine PNID listed in the Subject Alternative Name (SAN) field of the existing MACHINE_SSL_CERTIFICATE and the replacement certificate. The PNID is equal to the System Name parameter input during deployment of vCenter. The System Name can either be a Fully Qualified Domain Name (FQDN) or an IP address.Prior to vCenter Server 6.5 U2 and vCenter Server 6.0 Patch 7, there was an issue which displayed this behavior due to any mismatch of case or value between the SAN entries. This can include extra fields as well. For example: Old certificate SAN: IP Address=10.10.10.122 DNS Name=vcenter65.vmware.com New certificate SAN: IP Address=10.10.10.123 DNS Name=VCENTER65.vmware.comDNS Name=vcenter65email=admin@acme.com
This issue is resolved in below vCenter Server builds :VMware vCenter Server 6.0 Update 3g available at VMware Downloads.VMware vCenter Server 6.5 Update 2 available at VMware Downloads.VMware vCenter Server 6.7.0c available at VMware Downloads.
To work around this issue, regenerate the certificate with the same case and values as the old Machine SSL Certificate.This issue can happen on the builds mentioned in Resolution section as well, if the new Machine SSL Certificate does not contain the PNID in the SAN field. Regenerate the certificate with correct PNID in the SAN field to resolve the issue. Refer to Related Information in this article to verify the PNID and Subject Alternate Names.
To display the PNID of a vCenter Server Appliance, log in to the vCenter Server and run below command: vCenter Server Appliance:/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhostWindows vCenter Server:C:\Program Files\VMware\vCenter Server\vmafdd\vmafd-cli get-pnid --server-name localhost Run the following command to check the Subject Alternative Name field of the existing Machine SSL Certificate. vCenter Server Appliance:/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT --text | grep -A1 AlternativeWindows vCenter Server:C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli entry list --store MACHINE_SSL_CERT --text Run the following command to check the Subject Alternative Name field and the value of the DNS Name of Certificate. openssl x509 -in <path_to_certificate_file> -noout -text | grep -A1 Alternative For example: openssl x509 -in mycert.crt -noout -text | grep -A1 Alternative X509v3 Subject Alternative Name: DNS:myserver.mydomain.com, DNS:myserver
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
