CA certificate/CRL changes made in the NSX Edge 6.4.x LoadBalancer, Application Profile UI are not persistent when saved.
search cancel

CA certificate/CRL changes made in the NSX Edge 6.4.x LoadBalancer, Application Profile UI are not persistent when saved.

book

Article ID: 319025

calendar_today

Updated On:

Products

VMware NSX for vSphere

Issue/Introduction

The purpose of this article is to provide awareness of a known issue with NSX-V 6.4.8 and 6.4.10.

Symptoms:

  • When changing/updating the CA certificates / CRL from the UI, no error is observed when clicking save. The UI reports that saving is in progress. Upon reopening the Application Profile after the changes are made, the former settings are still configured.



Environment

VMware NSX for vSphere

Cause

Value changed by user for CA certificate / CRL grid does not returned back to parent component and hence was not sent in the API call, called by UI.

Resolution

This issue is fixed in VMware NSX Data Center for vSphere 6.4.11 version. 


Workaround:
Use the REST API for replacing the CA certificate

Note: Replace "NSX-IP", "edge-id", "applicationProfile-id" according to customer setup for below REST APIs.

1. GET https://NSX-IP/api/4.0/edges/edge-id/loadbalancer/config/applicationprofiles

This will list all the Application Profiles and Certs being used.

Once you get the applicationProfileId, run the below API to get the details for the required Application Profile.

GET https://NSX-IP/api/4.0/edges/edge-id/loadbalancer/config/applicationprofiles/applicationProfile-id

Copy the complete xml output and save it.

CA sample:
<clientSsl>
        <ciphers>DEFAULT</ciphers>
        <clientAuth>ignore</clientAuth>
        <serviceCertificate>certificate-xxx</serviceCertificate>
        <caCertificate>certificate-yyy</caCertificate>  <----- current CA cert that needs to be changed or replaced  
    </clientSsl>
 
2. Identify the correct certificate-id that you want to update. If you are not aware of the certs, below is the API to list all the certificate details.

GET https://NSX-IP/api/2.0/services/truststore/certificate/scope/edge-id

GET https://NSX-IP/api/2.0/services/truststore/certificate/certificate-id 

3. Edit the xml output that you have copied in Step 1 . Make the changes with the correct certificate-id for the CA certs and saved it again.

CA sample:
<clientSsl>
        <ciphers>DEFAULT</ciphers>
        <clientAuth>ignore</clientAuth>
        <serviceCertificate>certificate-xxx</serviceCertificate>
        <caCertificate>certificate-zzz</caCertificate>      <-- replacing with the correct cert 
    </clientSsl>

4. Execute the below API using the xml body that you have modified/saved in Step 3.

PUT https://NSX-IP/api/4.0/edges/edge-id/loadbalancer/config/applicationprofiles/applicationProfile-id

Additional Information

Impact/Risks:
User will not be able to replace/update the CA certificates / CRL on the NSX Edge running 6.4.8 or 6.4.10 for the Application Profile in LoadBalancer services using the vSphere UI client

Powered by Wolken Software