Part#2: Preparing Hosts For Commissioning in VCF9.0.1 and Fixing FQDN/SAN & Certificate Mismatches during VCF Management domain installation

Preparing Hosts For Commissioning in VCF9.0.1 and Fixing FQDN/SAN & Certificate Mismatches during VCF Management domain installation

In this article our focus is on preparing ESX hosts for commissioning during the deployment of VCF management domain and fixing host failures during the hosts adding in VCF installer caused by certificate SAN/FQDN mismatches and misconfigured host identity.

When deploying a VMware Cloud Foundation (VCF) 9.0 management domain, you must prepare a minimum of three ESX hosts to meet the platform’s baseline requirements. This ensures that core management components have sufficient resources and can operate with the expected level of resilience.

A brief specification of hosts used in the lab.

No. of ESX	03
Host Memory	128GB
Storage	06 Disks 1 100GB, 05 of 250 GB
Network adapters	04

Nested Hosts Preparation:

I am building these ESX hosts in a nested lab environment and done the following

1. Download the vendor‑supplied ESX installer and upload the OVA/ISO to the datastore 

2. Create a new VM for each nested host and assign CPU, memory, storage, and networking based on the resource guidelines defined earlier in the Nested Host Specifications section. Configure the VM to boot from the ESX installation media, then proceed with the installation inside the nested VM with the settings Make sure to enable Expose Hardware assisted virtualization to guest OS setting in CPU.

and complete the installation standard steps and repeat steps for all 3 hosts to be installed.

After installation adjust hostname/FQDN, Management IP, DNS and NTP 

Configure DNS entries for all the ESX hosts:

In my lab i have configure windows server 2016 as DNS. Create both forward and reverse DNS records for all ESX hosts. and all the entries must be resolvable using fully qualified domain names (FQDNs)

Always verify DNS entries and match the records other wise it will cause the commissioning to fail.

Configure NTP on all the hosts with policy set to start and stop with host.

and ensure that NTP service should be in running state.

Once all the hosts are installed you start the VCF installer and during the installer work flow wizard will ask to Add hosts screen and Add hosts and confirm Thumbprint of ESX.

When i tried adding the host it gave the following error.

Initial error: Certificates for esx02.vplab.local does not match any of the subject alternative names [localhost.localdomain]

To resolve this you will have to do the following on all the hosts.

1. ssh in to the host and run the following command to set the host name from localhost.localdomain to esx02.vplab.local

esxcli system hostname set --fqdn=esx02.vplab.local

where

esx02.vplab.local is my fqdn for this esx host

2. Stop the services.

Use the following command.

services.sh stop

Remove the existing certificates that are present in the /etc/vmware/ssl directory.

it contains two objects rui.crt and rui.key ensure to remove all of them.

4.  Once the old certificates are removed then regenerate the certificates using the following command

/sbin/generate-certificates

and start services

services.sh start 

I did the same steps for all the 3 hosts and then added the hosts again and it will get added and the required certificate SAN matched the FQDN

 

and do the validation it will pass now

Lesson Learnt:

1. ESX generates a self‑signed cert at install time, before you set the final hostname; the CN/SAN often ends up as localhost.localdomain. After installation of ESX hosts, always set FQDN first and then regenerate certificates. 

2. VCF 9.0.x validates host identity over HTTPS during commissioning and expects the certificate CN/SAN to match the FQDN you supply. Always ensure that Certificate matches FQDN. if the SAN doesn't match the FQDN you submit, commissioning fails

3. Keep a small prep script for hosts you plan to commission (hostname, DNS, NTP, cert regen, service restart).