Compute Manager is disconnected from NSX-T Data Center
Article ID: 317794
Updated On:
Products
VMware NSX
VMware vCenter Server
Issue/Introduction
- The Compute Manager appears to be DOWN.
- If you attempt to edit the Compute Manager, on clicking save you see an error similar to one of the following:
Computer manager <name> with Id <ID> connection config is invalid. Edit Hostname and provide computer manager credentials. (Error code: 7055)Certificate Chain of Computer Manager <name> is invalid. Please check Issuer and subject in the chain. (Error code: 90204) - The last inventory update date could match these scenarios:
- Environment may have been upgraded recently (NSX-T Data Center and/or vCenter).
- vCenter Certificates may have been changed recently.
- You see messages similar to the following in the
/var/log/cm-inventory/cm-inventory.logfile on the NSX manager node:
2021-06-28T17:01:44.440Z INFO http-nio-127.0.0.1-7443-exec-2 NsxTrustManagerBinding - SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="cm-inventory"] Try create TrustManager of type PKIX 2021-03-01T13:09:45.651Z WARN http-nio-127.0.0.1-7443-exec-2 VcUtilsImpl - SYSTEM [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="cm-inventory"] IOException occurred javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: Unable to find certificate chain. at sun.security.ssl.Alerts.getSSLException(Alerts.java:198) ~[?:1.8.0_251] - If the vCenter Server certificate was recently replaced with a CA certificate you may see messages similar to the following in the
/var/log/cm-inventory/cm-inventory.logfile on the NSX manager node:
2024-06-24T19:45:24.327Z ERROR http-nio-127.0.0.1-7443-exec-2 VcPlugin 4732 SYSTEM [nsx@6876 comp="nsx-manager" errorCode="MP40219" level="ERROR" reqId="11111111-2222222-7e7e7e7e7" subcomp="cm-inventory" username="admin"] Certificate of Vc example.com is invalid. It might be caused by issuer not being same as subject of next certificate in certificate chain. - If you attempt to add a new computer manager to an existing NSX-T cluster, you may see messages similar to the following in the
/var/log/cm-inventory/cm-inventory.logfile on the NSX manager node:
2021-11-12T15:56:41.601Z ERROR http-nio-127.0.0.1-7443-exec-3 VcPlugin - SYSTEM [nsx@6876 comp="nsx-manager" errorCode="MP40106" level="ERROR" subcomp="cm-inventory"] Unable to login with username password for 192.168.1.253 com.vmware.vim.vmomi.client.exception.SslException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found. at com.vmware.vim.vmomi.client.common.impl.ResponseImpl.setError(ResponseImpl.java:261) ~[vlsi-client-7.0.1.8343824.jar:?] at com.vmware.vim.vmomi.client.http.impl.HttpExchangeBase.setResponseError(HttpExchangeBase.java:311) ~[vlsi-client-7.0.1.8343824.jar:?] at com.vmware.vim.vmomi.client.http.impl.HttpExchange.invokeWithinScope(HttpExchange.java:57) ~[vlsi-client-7.0.1.8343824.jar:?]
Environment
VMware NSX-T Data Center
VMware vCenter Server
Cause
The vCenter certificate chain is not valid.
It is possible to add a certificate in vCenter which does not have the complete chain of authority.
Then when trying to add this Compute Manager (vCenter) to NSX-T, it will fail, as NSX-T requires the complete and correct certificate chain of authority.
A correct chain consists of:
It is possible to add a certificate in vCenter which does not have the complete chain of authority.
Then when trying to add this Compute Manager (vCenter) to NSX-T, it will fail, as NSX-T requires the complete and correct certificate chain of authority.
A correct chain consists of:
- Server Certificate (vCenter Server)
- Intermediary
- Root authority
Resolution
The vCenter certificate chain needs to be checked and fixed.
The following steps can be used:
- Obtain the certificate chain from vCenter Server using a command similar to the following:
openssl s_client -showcerts -debug -connect <VC-IP>:443 - Validate the certificate chain using any certificate checking resource. One recommended resource is KeyCDN Certificate Checker.
- Chain the certificate correctly using the format Machine->Intermediate->Root
- Use a file transfer utility to copy the correct certificate chain to the
/tmpdirectory on the vCenter Server - Export the original certificate chain and import the correct certificate chain
- Take an export of the original certificate and key
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store machine_ssl_cert --alias __MACHINE_CERT --output /tmp/origmachinecert.crt/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store machine_ssl_cert --alias __MACHINE_CERT --output /tmp/origmachinekey.key - Remove the existing certificate
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store machine_ssl_cert --alias __MACHINE_CERT - Import the correct certificate chain and key
/usr/lib/vmware-vmafd/bin/vecs-cli entry create --store machine_ssl_cert --alias __MACHINE_CERT --cert /tmp/correctmachinecert.crt --key /tmp/origmachinekey.key
- Take an export of the original certificate and key
- If
/etc/vmware-vpx/ssl/rui.crtalso has the incorrect certificate chain, editrui.crtand paste in the correct certificate chain - Reboot the vCenter Server
- Confirm the vCenter Server can be connected to NSX as a Compute Manager.
Note: When a CA certificate is in use on the vCenter Server, you must engage the CA vendor to issue a new certificate, replacing the the problematic sector, then reupload it again to the vCenter Server.
Additional Information
Feedback
Yes
No
Powered by
