VMware vSphere

 View Only

  • 1.  The vCenter Server Appliance FQDN does not match the certificate in VECS

    Posted Jan 05, 2024 08:05 PM

    I'm in the process of an appliance upgrade from 6.7 to 7 and get the following error during Stage 2 of the Upgrade Wizard (GUI version):

    Error: The vCenter Server Appliance FQDN xxx.xx.xx.x does not match the certificate in VMware Endpoint Certificate Store (VECS): Certificate DNS names: "" Certificate CN: "" Certificate addresses: ""

    Resolution: Verify that the certificate in VMware Endpoint Certificate Store (VECS) is valid and that it points to the vCenter Server Appliance FQDN.

     I had another certificate error in addition to this, which was cleared by running the lsdoctor tool. However, this error remains and I'm not quite sure how to resolve it.

    I've rebooted the appliance several times. I've verified that vCenter PNID and hostname match exactly, including case. I've also renewed the vCenter Machine SSL Certificate (and rebooted).

    FWIW, we pay extra for Production Support and should have a 4-hour contact window for the case I submitted yesterday. It's been 24 hours so far and no response from support, sadly.

    I'm hoping to get this resolved ASAP, so would appreciate any insight.

    TIA



  • 2.  RE: The vCenter Server Appliance FQDN does not match the certificate in VECS

    Posted Jan 05, 2024 08:11 PM

    Have you reviewed the workarounds on this KB. Seems this is a known issue:

    https://kb.vmware.com/s/article/78657 



  • 3.  RE: The vCenter Server Appliance FQDN does not match the certificate in VECS

    Posted Jan 05, 2024 08:35 PM

    Thanks for the reply. Yes, I came across this KB, but was at a bit of a loss.

    For workaround #1, the CN for the Machine certificate does match the PNID, so that appears to be in order (or does not apply).

    For workaround #2, we're using the vmware-provided certificates. I did renew the existing one and rebooted, but that did not clear the issue.  If I go through the steps to replace the certificate in vCenter, it only gives me the option to replace with a CA signed certificate, which I'd like to avoid doing as we prefer to stay with the vmware-provided certificates.

     



  • 4.  RE: The vCenter Server Appliance FQDN does not match the certificate in VECS

    Posted Jan 05, 2024 10:32 PM

    You may want to verify your reverse DNS if you have not. That often gets missed and I have seen times there was a stale record from reusing IP’s that causes a problem. 
    There is also a way to manually validate the certs just to make sure one of the fields doesn’t have something like a .local in it. 
    https://kb.vmware.com/s/article/2111411

    If you pay for support and you are down, I would call in and see about getting someone. Even a S3 has an 18 hour SLA. 



  • 5.  RE: The vCenter Server Appliance FQDN does not match the certificate in VECS

    Posted 2 days ago

    Hi, can you share your solution?  /usr/lib/vmware-vmca/bin/certificate-manager  Option 4 Have you tried it?

    -------------------------------------------

    Original Message