Installing 3rd party SVM fails due to SSL thumbprint mismatch error
search cancel

Installing 3rd party SVM fails due to SSL thumbprint mismatch error

book

Article ID: 303266

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:
  • When NSX 3rd-party SVM certificate is changed, Service Deployment shows a warning message as SSL thumbprint mismatch.
  • Unable to register/install 3rd party SVM with NSX after changing the certificate on the Trend Micro Manager.
  • After changing the certificate on the Trend Micro Appliance you getting following error on the NSX Manager logs:

    2019-03-02 06:25:04.723 PST ERROR TaskFrameworkExecutor-6 VSMAgentStateUpdater$VSMAgentStateUpdaterPerDeploymentUnit:708 - - [nsxv@6876 comp="nsx-manager" subcomp="manager"] error while sending updated agents info  for [vsmagent-251, vsmagent-256, vsmagent-258, vsmagent-248, vsmagent-252, vsmagent-250, vsmagent-255, vsmagent-257, vsmagent-249, vsmagent-254, vsmagent-253, vsmagent-259]
    com.vmware.vshield.vsm.si.exception.ServiceInsertionException: I/O error on PUT request for "https://ThirdParty.Manager.FQDN:4119/rest/vmware/2.0/agents/": java.security.cert.CertificateException: Server Certificate's thumbprint:F9:F5:AA:E2:3F:0D:4B:B5:##:##:##:##:##:##:##:##:##:##:##:## doesn't match any of the Registered thumbprint Set:[C9:38:6B:0B:2A:FE:09:F0:8A:4E:DD:18:8F:9A:FE:AF:E8:23:C4:BE]; nested exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Server Certificate's thumbprint:F9:F5:AA:E2:3F:0D:4B:B5:##:##:##:##:##:##:##:##:##:##:##:## doesn't match any of the Registered thumbprint Set:[C9:38:6B:0B:2A:FE:09:F0:##:##:##:##:##:##:##:##:##:##:##:##]


Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.


Cause

This issue can occur if the 3rd party Management appliance is replaced with a new Management appliance or if the certificates are changed on the existing 3rd party Management appliance.

Resolution

This is a normal behavior as the connection is not trusted by the NSX Manager. Once it is changed and the following steps are done to fully clean the old installation certificate from the NSX Manager database.

  1. Delete Trend Micro from Service Definitions. In this way, all the components will be deleted (including the certificate thumbprint) then change the certificate on the Trend Micro with the one you want to use, then re-register the Trend Micro with NSX, this should add the new certificate to the NSX Manager that it is going to be represented by the Trend Micro.
  2. If the steps above cannot be applied, then work with Technical Support to assist with replacing the thumbprint in the NSX Manager database.