VCSA Subject Alternative Name

My domain is: arc.bm

I ran this command: certbot certonly --manual --preferred-challenges=dns -d vcenter.arc.bm

It produced this output:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/vcenter.arc.bm/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/vcenter.arc.bm/privkey.pem
    Your cert will expire on 2020-08-04. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

My web server is (include version): Not web server, but vCenter Appliance (VCSA 6.7)

The operating system my web server runs on is (include version): Photon (VMWare)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.27.0

So successfully created a cert for vcenter.arc.bm I uploaded it to the VCSA appliance and ran the built in scripts to install it. However, I hit this error and it rolled back to the original:

Previous MACHINE_SSL_CERT Subject Alternative Name does not match new MACHINE_SSL_CERTIFICATE Subject Alternative Name
Performing rollback of Machine SSL cert

Cert info is:

Certificate Name: vcenter.arc.bm
Domains: vcenter.arc.bm
Expiry Date: 2020-08-04 12:14:17+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/vcenter.arc.bm/fullchain.pem
Private Key Path: /etc/letsencrypt/live/vcenter.arc.bm/privkey.pem

Ran a vmware command to get the SAN for the orignal cert and it says:

X509v3 Subject Alternative Name:
DNS:vcenter.arc.bm

I tried this twice. Once with a wildcard arc.bm cert, it failed with the same error and I read vmware dfoes not like wildcards, so I generated a specific vcenter.arc.bm cert. Yet, that also fails with the SAN error.

I cannot see a designated SAN on the new cert.

How do I designate the SAN on the new cert? Thanks.

Hi @shadragon

there is a SAN. Checked your domain via https://check-your-website.server-daten.de/?q=vcenter.arc.bm - then it’s possible to download the certificate.

And the certificate has the (expected) SAN domain name.

If you use Windows: Copy the certificate in a TXT file, change the file extension to .crt - then you can open it.

Your certificate

-----BEGIN CERTIFICATE-----
MIIFVDCCBDygAwIBAgISBBbglJRohG3SstWMkCEU8C0cMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQDExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA1MDYxMjE0MTdaFw0yMDA4MDQxMjE0MTdaMBkxFzAVBgNVBAMTDnZjZW50ZXIuYXJjLmJtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5O+yT2FpcsFVQ6FIz2BX0l6m7mPS6qIM+Md2zVFQCRkUZ/b2U0puaEEmPeOEocVgCeZf6DKu+acGOL4cnbOzoKZtuJL4De99xw0j5mzej/977eIiFjpBqT198bBrZtk4XpoxKy16ffzSOBso5fOcsPSqDIsYKOSpnsup6z4jA1kexz04o8KSjkQFulUfXoJmw+CkcoDqkvj0/c3SIz/g9kbRlLJs9PYDFuZHUCmKSaRR1I4bIhHzvFeJawkoxaMnnpmm4vKe1Bh7SnNj4v3J3Lijqx724RpPYZGQlm0XV/14vG94nWzvvd2EtZCS7A5o+9bAz67t6+SiGaTrX480mwIDAQABo4ICYzCCAl8wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTGMHzXxEdaRrcKtNi6cOcBi5z3yzAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMBkGA1UdEQQSMBCCDnZjZW50ZXIuYXJjLmJtMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcAXqdz+d9WwOe1Nkh90EngMnqRmgyEoRIShBh1loFxRVgAAAFx6h9ibAAABAMASDBGAiEAuyes5HdXvFvNTXFsKVwEN8ntW3MPr/zqK5ffXfp9OGsCIQC+zBSfgucUHC5E6ub1bVYjYfjHBVXQF9FPbIvDlAxfzgB1AAe3XBvlfWj/8bDGHSMVx7rmV3xXlLdq7rxhOhpp06IcAAABceofYqMAAAQDAEYwRAIgU3S9XBq1xGt7LKmws/QFpdEVyylidmWDGXFhpKTgKQoCIEYvZAnBeOYAi9HI9oKaNZKwqsibNVYDGOXmbdFBLFG6MA0GCSqGSIb3DQEBCwUAA4IBAQB44mmokOe/TJk1OizCOFTABcgpKG2ssdXUYjSLFKCOy6us5g+LwuV8ck2YM5XXunWYQGMrOkP0W8TPq6nkC8kfJBNXOyoOnCLNj2ggF79qfJUGjV73iZIeugS3v5hPvmxetih8Q3GfBxgcsrdFO2W8o0v6Bs3jxDy5KPjmRZQ5AzwpZ0/PJn+0wtVeEWRCGN9oLAacPMJnWiaaNZ8nfO7nUyPEw3Xw/4IeIy2+cGep3+Lpbww4fRyTyR4jevpjvg7ogYKDlzBQ9iJuXMYcpjFAIXt0Z8nhRSPDvTaolXmOX+vytTxUCam1jabdS52C89FqTEzPgAUhmM88fGTOR6Sw
-----END CERTIFICATE-----

So it’s a bug or error of your client / program.

May be your machine name is wrong.

Letsencrypt certificates have always a SAN-list. May be a SAN-list with one element.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.