Resolve the NSX-T certificate rotation failures due to CRL checking
search cancel

Resolve the NSX-T certificate rotation failures due to CRL checking

book

Article ID: 316476

calendar_today

Updated On:

Products

VMware Cloud Foundation VMware NSX

Issue/Introduction

The following error appears:

[
  {
    "error_code": 36432,
    "error_message": "Certificate validation failed. Reason : Certificate was rejected: CRL check failed: No CDP specified in the certificate for CN=wld1-nsxt-vip.example.com,OU=OU,O=VMware,L=Bangalore,ST=Karnataka,C=IN",
    "module_name": "node-services"
  }
]

Environment

VMware Cloud Foundation 3.10.2.2

Cause

Enabling the CRL checking in NSX-T manager and not configuring CDP endpoints while rotating the certificate

Resolution

The issue is fixed in the 4.x releases.

Workaround

  1. Get SecurityGlobalConfig and redirect it to a file, say config.json using the below command:

    curl -s -k -u 'admin:<nsxt-password>' https://<nsxt-manager/vip-fqdn-or-ipaddress>/api/v1/global-configs/SecurityGlobalConfig > config.json

  2. Edit config.json file and set crl_checking_enabled to false.

  3. Update SecurityGlobalConfig using the below command

    vcf@sddc-manager [ ~ ]$ curl -k -s -X PUT -H 'Content-Type: application/json' -u 'admin:<nsxt-password>' https://<nsxt-manager/vip-fqdn-or-ipaddress>/api/v1/global-configs/SecurityGlobalConfig -d @config.json
    {
      "crl_checking_enabled" : false,
      "ca_signed_only" : false,
      "eku_checking_enabled" : true,
      "resource_type" : "SecurityGlobalConfig",
      "id" : "a85129e5-4294-####-####-###########b",
      "display_name" : "a85129e5-4294-####-####-###########b",
      "_create_user" : "system",
      "_create_time" : 1637059298536,
      "_last_modified_user" : "admin",
      "_last_modified_time" : 1639071250006,
      "_system_owned" : false,
      "_protection" : "NOT_PROTECTED",
      "_revision" : 11
    }vcf@sddc-manager [ ~ ]$
Powered by Wolken Software