vSphere Upgrade Pre-Check Failure - Certificate SAN DNS and FQDN Check

AndyDodsworth — Wed, 18 Jan 2023 17:21:32 GMT

Hello - looking for some advice on an vCenter upgrade I'm attempting from 6.7 U3 to 7.0 U3.

I ran pre-checks using Skyline Health Diagnostics and I have one pre-check failure:

VC_UPC.VCSA.CertSANCheck: Certificate SAN DNS and FQDN Check

vCenter Server 7.0 requires Machine FQDN to be past of SubjectAltName of Certificate

KB Number: 2097936

Resolution:

Certificate Requirements: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.authentication.doc/GUID-DE49FBF5-E24A-462B-91DC-C4284D93F654.html

Please read KB: https://kb.vmware.com/s/article/2097936 for more details on replacing certificates.

Investigation Details:

Data Collection Time: 2023-01-12T19:50:13

Certificate: vCenter Rhttpproxy TLS Certificate has no DNS Name in SubjectAltName

Certificate Subject Alternative Names

Certificate FQDN SAN-DNS Status

vCenter Rhttpproxy TLS Certificate

(correct FQDN - redacted)

[]

RED

One of more Certificates on vCenter have no or incorrect DNS in SubjectAltName

I have checked the certs on the VCSA and the TRUSTED_ROOTS cert does indeed have a SAN set to the following (which I understand is the default):

X509v3 Subject Alternative Name:

email:email@acme.com, IP Address:127.0.0.1

But given, the error above appears to say the issue is with the vCenter Rhttpproxy TLS Certificate (which I'm not sure is a VCSA or ESXi cert?).

So my question is, which course of action would you recommend to fix this issue?

a) A complete renewal of all certs in the environment?

b) A refresh of the ESXi certs?

c) ?

BTW - we're using VMCA-signed certs in this environment.

TIA.

Re: vSphere Upgrade Pre-Check Failure - Certificate SAN DNS and FQDN Check

compdigit44 — Wed, 18 Jan 2023 18:19:32 GMT

Have you run through the steps in the following KB to see if the pnid matches.... https://kb.vmware.com/s/article/50112870

Re: vSphere Upgrade Pre-Check Failure - Certificate SAN DNS and FQDN Check

AndyDodsworth — Thu, 19 Jan 2023 17:09:10 GMT

Thanks - I ran each step in the KB and all three outputs were set to the FQDN of the VCSA.

I used to have an external PSC but that was consolidated to an embedded maybe a year ago - this is the first major upgrade since that was performed - could that have caused an issue?

The only reference to the old external PSC is on the 'issuer' section of the certs, everything else is set to the FQDN of the VCSA.

topic Re: vSphere Upgrade Pre-Check Failure - Certificate SAN DNS and FQDN Check in VMware vSphere™ Discussions

vSphere Upgrade Pre-Check Failure - Certificate SAN DNS and FQDN Check

Re: vSphere Upgrade Pre-Check Failure - Certificate SAN DNS and FQDN Check

Re: vSphere Upgrade Pre-Check Failure - Certificate SAN DNS and FQDN Check