VCSA Subject Alternative Name

shadragon · May 6, 2020, 2:51pm

My domain is: arc.bm

I ran this command: certbot certonly --manual --preferred-challenges=dns -d vcenter.arc.bm

It produced this output:

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/vcenter.arc.bm/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/vcenter.arc.bm/privkey.pem
Your cert will expire on 2020-08-04. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
“certbot renew”

My web server is (include version): Not web server, but vCenter Appliance (VCSA 6.7)

The operating system my web server runs on is (include version): Photon (VMWare)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.27.0

So successfully created a cert for vcenter.arc.bm I uploaded it to the VCSA appliance and ran the built in scripts to install it. However, I hit this error and it rolled back to the original:

Previous MACHINE_SSL_CERT Subject Alternative Name does not match new MACHINE_SSL_CERTIFICATE Subject Alternative Name
Performing rollback of Machine SSL cert

Cert info is:

Certificate Name: vcenter.arc.bm
Domains: vcenter.arc.bm
Expiry Date: 2020-08-04 12:14:17+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/vcenter.arc.bm/fullchain.pem
Private Key Path: /etc/letsencrypt/live/vcenter.arc.bm/privkey.pem

Ran a vmware command to get the SAN for the orignal cert and it says:

X509v3 Subject Alternative Name:
DNS:vcenter.arc.bm

I tried this twice. Once with a wildcard arc.bm cert, it failed with the same error and I read vmware dfoes not like wildcards, so I generated a specific vcenter.arc.bm cert. Yet, that also fails with the SAN error.

I cannot see a designated SAN on the new cert.

How do I designate the SAN on the new cert? Thanks.

JuergenAuer · May 6, 2020, 3:03pm

Hi @shadragon

there is a SAN. Checked your domain via https://check-your-website.server-daten.de/?q=vcenter.arc.bm - then it's possible to download the certificate.

And the certificate has the (expected) SAN domain name.

If you use Windows: Copy the certificate in a TXT file, change the file extension to .crt - then you can open it.

Your certificate

So it's a bug or error of your client / program.

May be your machine name is wrong.

Letsencrypt certificates have always a SAN-list. May be a SAN-list with one element.

system · June 5, 2020, 3:03pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiple certs with a SAN: How can I change the "main" domain? Help	5	1295	October 16, 2016
Wrong subjectAlternativeName with certbot dns-01 challenge Help	11	2065	February 8, 2019
Subject Alternative Name (SAN) mechanism Server	8	15708	June 4, 2019
Cant get certbot to make multiple domains Subject Alternative Name SAN Certificate Help	26	5862	April 4, 2022
Letsencrypt certbot wrong common name/subject alt names Help	11	2504	February 6, 2021

VCSA Subject Alternative Name

Related topics