Installing 3rd party SVM fails due to SSL thumbprint mismatch error
book
Article ID: 303266
calendar_today
Updated On:
Products
VMware NSX
Issue/Introduction
Symptoms:
When NSX 3rd-party SVM certificate is changed, Service Deployment shows a warning message as SSL thumbprint mismatch.
Unable to register/install 3rd party SVM with NSX after changing the certificate on the Trend Micro Manager.
After changing the certificate on the Trend Micro Appliance you getting following error on the NSX Manager logs:
2019-03-02 06:25:04.723 PST ERROR TaskFrameworkExecutor-6 VSMAgentStateUpdater$VSMAgentStateUpdaterPerDeploymentUnit:708 - - [nsxv@6876 comp="nsx-manager" subcomp="manager"] error while sending updated agents info for [vsmagent-251, vsmagent-256, vsmagent-258, vsmagent-248, vsmagent-252, vsmagent-250, vsmagent-255, vsmagent-257, vsmagent-249, vsmagent-254, vsmagent-253, vsmagent-259] com.vmware.vshield.vsm.si.exception.ServiceInsertionException: I/O error on PUT request for "https://ThirdParty.Manager.FQDN:4119/rest/vmware/2.0/agents/": java.security.cert.CertificateException: Server Certificate's thumbprint:F9:F5:AA:E2:3F:0D:4B:B5:##:##:##:##:##:##:##:##:##:##:##:## doesn't match any of the Registered thumbprint Set:[C9:38:6B:0B:2A:FE:09:F0:8A:4E:DD:18:8F:9A:FE:AF:E8:23:C4:BE]; nested exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Server Certificate's thumbprint:F9:F5:AA:E2:3F:0D:4B:B5:##:##:##:##:##:##:##:##:##:##:##:## doesn't match any of the Registered thumbprint Set:[C9:38:6B:0B:2A:FE:09:F0:##:##:##:##:##:##:##:##:##:##:##:##]
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Cause
This issue can occur if the 3rd party Management appliance is replaced with a new Management appliance or if the certificates are changed on the existing 3rd party Management appliance.
Resolution
This is a normal behavior as the connection is not trusted by the NSX Manager. Once it is changed and the following steps are done to fully clean the old installation certificate from the NSX Manager database.
Delete Trend Micro from Service Definitions. In this way, all the components will be deleted (including the certificate thumbprint) then change the certificate on the Trend Micro with the one you want to use, then re-register the Trend Micro with NSX, this should add the new certificate to the NSX Manager that it is going to be represented by the Trend Micro.
If the steps above cannot be applied, then work with Technical Support to assist with replacing the thumbprint in the NSX Manager database.