NSX Edge throws exception if service certificate content doesn't contain private key
search cancel

NSX Edge throws exception if service certificate content doesn't contain private key

book

Article ID: 310645

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

After successfully adding a CA certificate on NSX Edge, you experience these symptoms:

  • Fatal error found in configuration when attempting to update Application Profile for SSL offload using CA certifications.
  •  In the vsm.log file, you see entries similar to:

    2017-03-10 00:25:46 :: DEBUG :: Utils :: Command: chown vseconfig:vseconfig /var/run/vmware/vshield/cmdOut/5f37d5bc-####-####-####-ef45360fdb52.out, Result:
    errCode :73001
    errMsg :[256] Failed to reload haproxy : Reloading HA-Load-Balancer configuration: vse-ha-lb
    [ALERT] 068/002546 (26576) : parsing [/var/db/vmware/vshield/haproxy.conf:43] : 'bind ##.##.##.##:443' : unable to load SSL private key from PEM file '/var/db/loadbalancer//certs/########_vip-30.pem'.
    [ALERT] 068/002546 (26576) : Error(s) found in configuration file : /var/db/vmware/vshield/haproxy.conf
    [ALERT] 068/002546 (26576) : Proxy '########': no SSL certificate specified for bind '##.##.##.##:443' at [/var/db/vmware/vshield/haproxy.conf:43] (use 'crt').
    [ALERT] 068/002546 (26576) : Fatal errors found in configuration.
    Failed to reload HA-Load-Balancer: vse-ha-lb
    Try to restart HA-Load-Balancer: vse-ha-lb
    [ALERT] 068/002546 (26582) : parsing [/var/db/vmware/vshield/haproxy.conf:43] : 'bind ##.##.##.##:443' : unable to load SSL private key from PEM file '/var/db/loadbalancer//certs/########_vip-30.pem'.
    [ALERT] 068/002546 (26582) : Error(s) found in configuration file : /var/db/vmware/vshield/haproxy.conf
    [ALERT] 068/002546 (26582) : Proxy '########': no SSL certificate specified for bind '##.##.##.##:443' at [/var/db/vmware/vshield/haproxy.conf:43] (use 'crt').
    [ALERT] 068/002546 (26582) : Fatal errors found in configuration.
    Failed to re-start HA-Load-Balancer: vse-ha-lb

    Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.



Environment

VMware NSX for vSphere 6.1.x
VMware NSX for vSphere 6.4.x
VMware NSX for vSphere 6.0.x
VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.3.x

Resolution

Generating a CSR

  1. Open MMC and add the Certificates snap in.
  2. Navigate to Personal > Certificates.
  3. Right Click certificates and select All Tasks > Advanced Operations > Create Custom Request
  4. Choose Active Directory Enrollment Policy
  5. Use Template “Web Server” and PKCS #10 Format
  6. On Certificate Information Page, click Details and Select Properties
  7. Add the following fields in the subject tab:
    1. Organization
    2. Organizational Unit
    3. Locality
    4. Country
  8. On the Private Key Tab, under Key Options, select “Make private key exportable”
  9. Click OK and next until you are prompted to save your CSR. Use this CSR to key your cert with Certificate Authorities.
  10. Download your files in the “other” certificate category from Certificate Authorities for the next step

Importing a Cert and Creating a PFX file

  1. Open MMC and add the Certificates snap in.
  2. Navigate to Personal > Certificates
  3. Right click certificates and choose All Tasks > Import
  4. Import your .crt file that you have downloaded from Certificate Authorities.
  5. Right click your certificate and choose All Tasks > Export. Select “Yes, export the private key” and “Include all certificates in the certification path if possible”
  6. Pick yourself and Domain Admins as the user group.
  7. Create a complex password, and save it.

Retrieve Private Key from PFX File

  1. Download OpenSSL from https://slproweb.com/products/Win32OpenSSL.html.
  2. Install OpenSSL and move the PFX file into the same directory as Openssl.exe
  3. Open Openssl.exe and run the following commands:
    1. openssl pkcs12 -in <pfx_file_name>.pfx -nocerts -out priv.pem
  1. You will be prompted for the password from step 7 in the previous section
  2. You will be prompted to create a new password, save this as well.
    1. openssl rsa -in priv.pem -out priv.pem
  1. You will enter the password you created in the step above
  2. You will get an error regarding “bag type”. This can be ignored.
  1. You will now use your priv.pem file and your original .crt file that you downloaded from Certificate Authorities to install the cert in the ESG

Installing the Cert in the ESG

  1. Log into the ESG and navigate to Settings > Certificates
  2. Click the + icon, and Select “Certificate”
  3. Open the .crt file in Notepad and paste the contents in the top section, open the .pem file in notepad and paste the contents in the bottom section.
  4. Your cert should now be installed on the load balancer and available for use.



Powered by Wolken Software