Resolve the NSX-T certificate rotation failures due to CRL checking

search cancel

Resolve the NSX-T certificate rotation failures due to CRL checking

book

Article ID: 316476

calendar_today

Updated On:

Products

VMware Cloud Foundation VMware NSX

Issue/Introduction

The following error appears:

[
  {
    "error_code": 36432,
    "error_message": "Certificate validation failed. Reason : Certificate was rejected: CRL check failed: No CDP specified in the certificate for CN=wld1-nsxt-vip.example.com,OU=OU,O=VMware,L=Bangalore,ST=Karnataka,C=IN",
    "module_name": "node-services"
  }
]

Environment

VMware Cloud Foundation 3.10.2.2

Cause

Enabling the CRL (Certificate Revocation List) checking in NSX-T manager and not configuring CDP (Certificate Distribution Point) endpoints while rotating the certificate

Resolution

The issue is fixed in the 4.x releases.

Workaround

Get SecurityGlobalConfig and redirect it to a file, say config.json using the below command:

curl -s -k -u 'admin:<nsxt-password>' https://<nsxt-manager/vip-fqdn-or-ipaddress>/api/v1/global-configs/SecurityGlobalConfig > config.json
Edit config.json file and set crl_checking_enabled to false.
Update SecurityGlobalConfig using the below command
vcf@sddc-manager [ ~ ]$ curl -k -s -X PUT -H 'Content-Type: application/json' -u 'admin:<nsxt-password>' https://<nsxt-manager/vip-fqdn-or-ipaddress>/api/v1/global-configs/SecurityGlobalConfig -d @config.json
{
  "crl_checking_enabled" : false,
  "ca_signed_only" : false,
  "eku_checking_enabled" : true,
  "resource_type" : "SecurityGlobalConfig",
  "id" : "a85129e5-4294-####-####-###########b",
  "display_name" : "a85129e5-4294-####-####-###########b",
  "_create_user" : "system",
  "_create_time" : 1637059298536,
  "_last_modified_user" : "admin",
  "_last_modified_time" : 1639071250006,
  "_system_owned" : false,
  "_protection" : "NOT_PROTECTED",
  "_revision" : 11
}vcf@sddc-manager [ ~ ]$

Feedback

thumb_up Yes

thumb_down No