Pivotal Knowledge Base


CredHub Fails to Start when Deploying Pivotal Cloud Foundry 1.11 and 1.12


Pivotal Cloud Foundry versions 1.11 and 1.12
CredHub versions 1.5.x and prior to that


When deploying PCF 1.12, CredHub deploy fails:

Failed deploying (00:52:56)

Stopping registry... Finished (00:00:00)
Cleaning up rendered CPI jobs... Finished (00:00:00)

  Running the post-start script:
    Sending 'get_task' to the agent:
      Agent responded with error: Action Failed get_task: Task dd32d331-40eb-4806-7f87-2be3731f613d result: 1 of 2 post-start scripts failed. Failed Jobs: credhub. Successful Jobs: uaa.

Exit code 1

Additionally, credhub.log includes the following error:

javax.net.ssl.SSLPeerUnverifiedException: Certificate doesn't match any of the subject alternative names: [, localhost,]


When CredHub is deployed, it attempts to verify the connection to UAA on the BOSH Director with the Ops Manager certificate Subject Alternative Name (SAN). Ops Manager 1.6 and earlier generated non-configurable certificate SANs in a format CredHub does not understand. If your original PCF deploy was PCF 1.6 or earlier, you must regenerate the Director certificates.


To resolve this issue, regenerate the Director certificates using the Ops Manager API:

  1. Use curl to make an API call to regenerate all non-configurable certificates for your existing Ops Manager Director

    $ curl "https://OPS-MAN-FQDN/api/v0/certificate_authorities/active/regenerate" \ 
    -X POST \ 
    -H "Authorization: Bearer YOUR-UAA-ACCESS-TOKEN" \ 
    -H "Content-Type: application/json" \ 
    -d '{}'
  2. Navigate to Ops Manager and click "Apply Changes".

See Regenerating and Rotating Non-Configurable TLS/SSL Certificates for more information about regenerating certificates and certificate authorities (CA).


  • Avatar
    Fedor Vompe

    This problem also arises when DNS entry for OpsDirector is configured incorrectly.

    Edited by Fedor Vompe
Powered by Zendesk