Deployment or Host Commissioning Certificate Error

During VCF 4.2 deployment I ran into a new error that I hadn’t see previously. Usually I am using VLC and all the pre-reqs have been taken care of for me. However in this instance I needed to deploy VCF in a nested environment under vCloud Director where VLC wouldn’t work. I loaded up my ESXi hosts and configured their IP/DNS/NTP settings, enabled ntp and ssh, and setup their networks and disks etc. Deployed Cloud Builder and populated my deployment spreadsheet. When I got to the validations after submitting my spreadsheet I ran into the following error:

SSL Certificate common name doesn’t match ESXi FQDN.

I said to myself nothing wrong here and just acknowledged that validation failed with the above error and proceeded to deploy. Only to then find another error:

Create new Local ESXi user failed

Thinking I had a bad deployment considering I am doing this nested in vCloud Director I spun up a new vApp and deployed the ESXi Hosts and tried again only to find that the same error has been repeated during validation in Cloud Builder. After doing a bit more research I found that we implemented a security function that requires the SSL to match the supplied hostname, to prevent man in the middle attacks. If you are doing a load of ESXi via ISO/USB etc you walk through the normal setup process, but it isn’t until after you reboot that you are able to configure a hostname, IP address, DNS, NTP etc. In talking with @bsier he stated he didn’t have these error presented in VLC and found that it was due to using a kixstart file. So in an effort to troubleshoot the error we looked at the host certificate and it was set to localhost.localdomain where if you used kixstart it was set to in my example esxi-1.vcf.sddc.lab.

Now how do I resolve this and get the validation to work properly and then finally the deployment to be able to create the local user? The solution is pretty simple actually, and does not require you to use a kixstart file. Simply SSH to your ESXi hosts and run the following command:

/sbin/generate-certificates
reboot

Once the host has been rebooted validation passed successfully and I was able to complete bringup without a problem. However once bringup was completed I tried to commission hosts to create a Workload Domain, only to be faced with the following error:

Again, failing on FQDN for Common Name in the Certificate

After seeing this I was able to run the following:

/sbin/generate-certificates
reboot

After rebooting I attempted commissioning the host again and was able to successfully commission the host.

Hoping this quick fix helps you in your journey deploying VCF!

Leave a Reply

Your email address will not be published. Required fields are marked *