Failure to apply NSX-T certificate: Couldn't get LDAP context from URI
Article ID: 318328
Updated On:
Products
VMware NSX
Issue/Introduction
Symptoms:
- NSX-T 3.0 and above
- Applying a certificate to an NSX-T Manager node or cluster fails
https://<Manager IP>/api/v1/node/services/http?action=apply_certificate&certificate_id=<cert-id>
https://<Manager IP>/api/v1/cluster/api-certificate?action=set_cluster_certificate&certificate_id=<cert id>
https://<Manager IP>/api/v1/cluster/api-certificate?action=set_cluster_certificate&certificate_id=<cert id>
- The following error is seen
Certificate validation failed. Reason : Certificate was rejected: CRL check failed: Couldn't get LDAP context from URI
Environment
VMware NSX-T Data Center 3.x
VMware NSX-T Data Center
VMware NSX-T Data Center
Cause
NSX-T 3.0 added Certificate Revocation List (CRL) checking when applying a certificate to a Manager node/cluster.
If the CRL check cannot be performed, the certificate cannot be applied to a Manager node or cluster.
In the case of LDAP CRL verification, the check may fail if there is a communication issue between NSX-T Manager and the LDAP server.
Although CA-signed certificates that have LDAP CDPs for the Manager may work, they are not officially supported and VMware recommends the use of HTTP CDP based certificates.
If the CRL check cannot be performed, the certificate cannot be applied to a Manager node or cluster.
In the case of LDAP CRL verification, the check may fail if there is a communication issue between NSX-T Manager and the LDAP server.
Although CA-signed certificates that have LDAP CDPs for the Manager may work, they are not officially supported and VMware recommends the use of HTTP CDP based certificates.
Resolution
CRL check has been disabled by default in NSX-T Data Center 3.0.2 and 3.1.0 and above.
Note environments deployed on an earlier release and upgraded will continue to have CRL check enabled.
Workaround:
Possible workaround options:
Note environments deployed on an earlier release and upgraded will continue to have CRL check enabled.
Workaround:
Possible workaround options:
- Use a certificate that has HTTP-based CDP or
- Disable CRL checking using API, this will allow the certificate to be applied even if the CRL check fails
Check current setting
GET https://<manager>/api/v1/global-configs/SecurityGlobalConfig
Disable CRL check
PUT https://<manager>/api/v1/global-configs/SecurityGlobalConfig
- Include the entire output body from the above GET command in the body of your PUT command.
Be sure to include the below two lines in the body of your PUT:
Body
{
"crl_checking_enabled" : false,
"resource_type" : "SecurityGlobalConfig"
}
GET https://<manager>/api/v1/global-configs/SecurityGlobalConfig
Disable CRL check
PUT https://<manager>/api/v1/global-configs/SecurityGlobalConfig
- Include the entire output body from the above GET command in the body of your PUT command.
Be sure to include the below two lines in the body of your PUT:
Body
{
"crl_checking_enabled" : false,
"resource_type" : "SecurityGlobalConfig"
}
Feedback
Yes
No
Powered by
