Operational Defect Database
BugZero updated this defect 54 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
VMware | 97116
"ERR_CERT_COMMON_NAME_INVALID" error in browser when accessing Cloud Director VAMI after replacing Appliance Management certificate.
Last update date:
3/26/2024
Affected products:
Cloud Director
Affected releases:
10.410.5
Fixed releases:
No fixed releases provided.
Description:
Symptoms
Cloud Director Appliance Management certificate has been replaced as per the documentation for the appropriate version: Cloud Director 10.5.1 and later: Certificate Management in the VMware Cloud Director Appliance 10.5.1 and LaterCloud Director 10.5.0:Replace Your VMware Cloud Director 10.5.0 Appliance Management Key-Certificate PairCloud Director 10.4.x and earlier:Replace the Appliance Management Key-Certificate Pair The new Appliance Management certificate has been signed by a certificate authority.After applying the new certificate and restarting the services the Cloud Director Appliance VAMI on port 5480 cannot be reached due to a browser error similar to: ERR_CERT_COMMON_NAME_INVALID
Cause
This can occur if the new Appliance Management certificate does not have valid Subject Alternative Name (SAN) entries including a DNS entry for the Cloud Director Appliance FQDN.
Resolution
To resolve this issue ensure that the new Appliance Management certificate being applied to the Cloud Director Cell has valid Subject Alternative Name (SAN) entries present. To check if the CSR generated on the Cell has a valid SAN extension an openssl command such as the following could be used: openssl req -in /opt/vmware/appliance/etc/ssl/vcd_ova.csr -noout -text If a SAN entry was included in the CSR then we would expect a section similar to the following: Requested Extensions:X509v3 Subject Alternative Name: DNS:vcd.example.com, IP Address:1.2.3.4 Generate a new CSR with valid SAN extensions or add the desired SAN extensions using the process outlined by the Certificate Authority during the certificate signing process.The Cloud Director documentation describes the process for generating the CSR which includes example SAN entries: Cloud Director 10.5.1 and later: Certificate Management in the VMware Cloud Director Appliance 10.5.1 and LaterCloud Director 10.5.0:Replace Your VMware Cloud Director 10.5.0 Appliance Management Key-Certificate PairCloud Director 10.4.x and earlier:Replace the Appliance Management Key-Certificate Pair
