VMware Cloud Community
km257
Contributor
Contributor
‎03-17-2024 04:19 PM

VCSA portal certificate expired

Hello, 

my vcsa portal stopped working because certification expiry and when I tried to use fixsts.sh script, it didn't work properly - I need guidance before proceeding here. 

when I'm opening the vpxd.log this is what I find:

2024-03-05T17:55:21.757-02:00 error vpxd[23534] [Originator@6876 sub=IO.Http] User agent failed to send request; (null), N7Vmacore3Ssl18SSLVerifyExceptionE(SSL Exception: Verification parameters:
--> PeerThumbprint: 
--> ExpectedThumbprint:
--> ExpectedPeerName: localhost
--> The remote host certificate has these problems:
-->
--> * Host name does not match the subject name(s) in certificate.)
--> [context]zKq7AVECAQAAAG0mVQEOdnB

 

0 Kudos
3 Replies
Shen88
Hot Shot
Hot Shot
‎03-17-2024 08:58 PM

@km257,

The error message "host name does not match the subject name(s) in certificate" can occur when the host name used for a connection does not match the subject name on the host certificate. This can happen for a number of reasons, including:
  • The host name used for the connection does not match the subject name on the host certificate
  • A certificate in the host's chain is based on an untrusted root
  • The host address specified in the SSL certificate is not same as the Host address mentioned in the NAT settings

You seems to have a same error as outlined in the below post and there's resolution to it. Please refer the same.

https://communities.vmware.com/t5/vCenter-Server-Discussions/The-host-name-used-for-the-connection-d...


If you think your queries have been answered, Mark this response as "Correct" or "Helpful" and consider giving kudos to appreciate!

Regards,
Shen
0 Kudos
drdoc_fred
Enthusiast
Enthusiast
‎03-18-2024 11:42 AM

The error message 'Host name does not match the subject name(s) in certificate' in the context of a VCSA portal certificate expiration issue is caused by a mismatch of the machine PNID listed in the Subject Alternative Name (SAN) field of the existing MACHINE_SSL_CERTIFICATE and the replacement certificate. The PNID is equal to the System Name parameter input during deployment of vCenter. The System Name can either be a Fully Qualified Domain Name (FQDN) or an IP address. This mismatch can occur due to any difference in case or value between the SAN entries, including extra fields.

see KB 2150267
 
0 Kudos
BarryGrowler
Enthusiast
Enthusiast
‎03-19-2024 10:49 AM

To renew your expired VCSA certificate, first take a snapshot of the VCSA VM. Then, check the STS cert validity using the checksts.py script and renew it with fixsts.sh if needed. Restart all services, and run the Lookup Service Doctor to fix any SSL trust mismatches that may have broken trust relationships.

Finally, use the Certificate Manager to regenerate the VMCA Root and replace all certificates. Verify services are running and you can access vCenter.

0 Kudos