VMware Cloud Community
aloksinghericss
Contributor
Contributor
‎06-06-2019 10:51 PM
Jump to solution

Unable to login after updating hostname in vCenter 5.5

Hi,

I am unable to login after changing hostname and regenerating self signed SSL certificates.  I am getting below error in logs

I used below blog to update hostname and as per my understanding it is correct way to update hostname.

When we ssh to the vcenter and check the logs, attached is one file (/var/log/vmware/vsphere-client/logs/vsphere_client_virgo.log)

[2019-06-06 14:13:16.189] [INFO ] http-bio-9443-exec-10        70000201 100006 ###### com.vmware.vise.security.DefaultAuthenticationProvider Authenticating user: root using authentication handler: com.vmware.vsphere.client.security.sso.SsoAuthenticationHandler@6f9dad3

[2019-06-06 14:13:16.254] [ERROR] http-bio-9443-exec-10        70000201 100006 ###### com.vmware.vise.vim.lookup.impl.LookupServiceImpl Error when creating lookup service com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate assertion not verified and thumbprint not matched

at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager$HostnameVerifier.verify(ThumbprintTrustManager.java:267)

at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager$HostnameVerifier.verify(ThumbprintTrustManager.java:230)

at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:339)

at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:123)

Caused by: javax.net.ssl.SSLException: hostname in certificate didn't match: <xxxxxxxxxxxxvca.xxxxx.xxxxxxxxx.net> != <"ssoserver> OR <ndc2cnz03mspvca>

at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:220)

at org.apache.http.conn.ssl.StrictHostnameVerifier.verify(StrictHostnameVerifier.java:61)

at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:149)

at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager$HostnameVerifier.verify(ThumbprintTrustManager.java:253)

Tags (1)
Reply
0 Kudos
1 Solution

Accepted Solutions
msripada
Virtuoso
Virtuoso
‎06-07-2019 06:47 AM
Jump to solution

The hostname is not matching with the new name so service will not start..

You need to regenerate certificates and then validate if the certificate is generated successfully or not with new hostname.

From your description, you mentioned that you have tried regenerating self signed.. if that did not change the hostname in certificates with new one.. you need to try different ways

In an SSH session to the vSphere Center Server Appliance (VCSA), edit /etc/sysconfig/networking/devices/ifcfg-eth0 to ensure that the host has the correct name when network configuration occurs.

Insert this entry before the IP Address line:

HOSTNAME=hostname.fqdn

Where hostname.fqdn is the fully qualified VCSA hostname desired.

Save the file and exit the editor.

Use only one of these methods to change the VCSA hostname:

Run this command:

/opt/VMware/share/vami/vami_config_net.

Change the hostname from the VAMI page directly by navigating to VCSA_IP:5480 in a Web browser, where VCSA_IP is the IP address of the VCSA.

Verify the hostname has changed using this command:

cat /etc/hosts

To prevent generation of new certificates every reboot, navigate to the VAMI page, click the Admin Tab, and press the Toggle Certificate Setting Button to set 'Certificate Regeneration Enabled' to no.

Manually generate the vCenter server appliance certificates by using the below KB

https://kb.vmware.com/s/article/2070603 -> Regenerating Self-Signed SSL Certificates in VMware vCenter Server appliance 5.1 or 5.5

Thanks,

MS

View solution in original post

Reply
0 Kudos
2 Replies
msripada
Virtuoso
Virtuoso
‎06-07-2019 06:47 AM
Jump to solution

The hostname is not matching with the new name so service will not start..

You need to regenerate certificates and then validate if the certificate is generated successfully or not with new hostname.

From your description, you mentioned that you have tried regenerating self signed.. if that did not change the hostname in certificates with new one.. you need to try different ways

In an SSH session to the vSphere Center Server Appliance (VCSA), edit /etc/sysconfig/networking/devices/ifcfg-eth0 to ensure that the host has the correct name when network configuration occurs.

Insert this entry before the IP Address line:

HOSTNAME=hostname.fqdn

Where hostname.fqdn is the fully qualified VCSA hostname desired.

Save the file and exit the editor.

Use only one of these methods to change the VCSA hostname:

Run this command:

/opt/VMware/share/vami/vami_config_net.

Change the hostname from the VAMI page directly by navigating to VCSA_IP:5480 in a Web browser, where VCSA_IP is the IP address of the VCSA.

Verify the hostname has changed using this command:

cat /etc/hosts

To prevent generation of new certificates every reboot, navigate to the VAMI page, click the Admin Tab, and press the Toggle Certificate Setting Button to set 'Certificate Regeneration Enabled' to no.

Manually generate the vCenter server appliance certificates by using the below KB

https://kb.vmware.com/s/article/2070603 -> Regenerating Self-Signed SSL Certificates in VMware vCenter Server appliance 5.1 or 5.5

Thanks,

MS

Reply
0 Kudos
aloksinghericss
Contributor
Contributor
‎06-07-2019 11:48 AM
Jump to solution

Manual Regeneration of Certificates solved the issue

https://kb.vmware.com/s/article/2070603 -> Regenerating Self-Signed SSL Certificates in VMware vCenter Server appliance 5.1 or 5.5

Reply
0 Kudos