Failure to apply NSX-T certificate: Couldn't get LDAP context from URI
search cancel

Failure to apply NSX-T certificate: Couldn't get LDAP context from URI

book

Article ID: 318328

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:
  • NSX-T 3.0 and above
  • Applying a certificate to an NSX-T Manager node or cluster fails
 https://<Manager IP>/api/v1/node/services/http?action=apply_certificate&certificate_id=<cert-id>
 https://<Manager IP>/api/v1/cluster/api-certificate?action=set_cluster_certificate&certificate_id=<cert id>
  • The following error is seen
 Certificate validation failed. Reason : Certificate was rejected: CRL check failed: Couldn't get LDAP context from URI


Environment

VMware NSX-T Data Center 3.x
VMware NSX-T Data Center

Cause

NSX-T 3.0 added Certificate Revocation List (CRL) checking when applying a certificate to a Manager node/cluster.
If the CRL check cannot be performed, the certificate cannot be applied to a Manager node or cluster.
In the case of LDAP CRL verification, the check may fail if there is a communication issue between NSX-T Manager and the LDAP server.
Although CA-signed certificates that have LDAP CDPs for the Manager may work, they are not officially supported and VMware recommends the use of HTTP CDP based certificates.

Resolution

CRL check has been disabled by default in NSX-T Data Center 3.0.2 and 3.1.0 and above.
Note environments deployed on an earlier release and upgraded will continue to have CRL check enabled.

Workaround:
Possible workaround options:
 
  • Use a certificate that has HTTP-based CDP or
  • Disable CRL checking using API, this will allow the certificate to be applied even if the CRL check fails
Check current setting
GET https://<manager>/api/v1/global-configs/SecurityGlobalConfig

Disable CRL check
PUT https://<manager>/api/v1/global-configs/SecurityGlobalConfig
  - Include the entire output body from the above GET command in the body of your PUT command.
Be sure to include the below two lines in the body of your PUT:

Body
{
  "crl_checking_enabled" : false,
 
  "resource_type" : "SecurityGlobalConfig"
}