NSX 3rd-party SVMs show warning status due to SSL thumbprint mismatch
search cancel

NSX 3rd-party SVMs show warning status due to SSL thumbprint mismatch

book

Article ID: 310637

calendar_today

Updated On:

Products

VMware NSX for vSphere

Issue/Introduction

When NSX 3rd-party SVM certificate is changed, Service Deployment shows a warning message as SSL thumbprint mismatch.

Environment

VMware NSX for vSphere 6.4.x

Resolution

To update the thumbprint of the SSL certificate for the service deployment:
 

  1. Identify the service deployment ID of the solution using REST API call

    GET https://nsxmgr-ip/api/2.0/si/servicemanagers

    In the response body, identify the objectID of the instance. Identify the text ( similar to: servicemanager-#) within the <objectId>...</objectId> tags within the same <servicemanager>...</servicemanager> section.
    Here: # is the servicemanager instance ID.
     
  2. Run the below REST API query to confirm that correct instance is returned.

    GET https://nsxmgr-ip/api/2.0/si/servicemanager/servicemanager-#
     
  3. Copy the returned XML data into the Body field of the REST client. Ensure that the "Content-Type: application/xml" header is included in the client.
     
  4. Get the new SSL thumbprint by visiting the URL indicated in between the <restUrl> </resUrl> tags in the response body in a web browser. Open the certificate properties by clicking on the connection information so you can view the certificate , and copy the SHA-1 thumbprint for the certificate. Ensure that there no blank spaces in between the characters, and that there are no spaces or newlines between the XML tags and the thumbprint characters.

    Example: ##:##:##:##:##:##:ED:11:88:68:9A:A7:DE:FC:##:##:##:##:##:##
  5. Modify the XML in the body and replace the thumbprint with the one obtained from the certificate.

    <thumbprint>##:##:##:##:##:##:ED:11:88:68:9A:A7:DE:FC:##:##:##:##:##:##</thumbprint>
     
  6. Verify the text between the <restUrl></restUrl> tags:
     
    • Ensure that any line breaks are removed between the tags and the URL.
       
    • If the URL contains the “&” character, all instances must be replaced with the string & (with no additional spaces).
       
    • If the above is not feasible or other characters are generating errors on PUT like: entity reference name can not contain character, then the note the URL, and remove the URL string from the PUT call after the https://nsxm-ip/ Then, after the PUT completes successfully, go to the vSphere Web Client, under Service Definitions->Service Managers, select the Service Manager in question and click the pencil icon to edit it. Paste the original full URL into the Base API URL box and click OK.
       
  7. Change the method to PUT and Run the API call which returns an update result.
     
  8. Change the method to GET and run the API call. Ensure that returned xml matches the correct SSL certificate thumbprint.
     
  9. Log on to the vSphere Web client and click on Resolve button on the Service Deployment status.
Powered by Wolken Software