"Certificate delete failed: Certificate cannot be deleted because it is used by 1 MP node(s)" error when deleting an NSX-T certificate
book
Article ID: 319133
calendar_today
Updated On:
Products
VMware NSX
Issue/Introduction
Symptoms:
- Deleting an NSX-T certificate fails.
- You see the error:
Certificate delete failed: Certificate cannot be deleted because it is used by 1 MP node(s).
- The GET/api/v1/trust-management/certificates/{cert-id} REST API displays the certificate is used by a node similar to:
{
"pem_encoded" : "-----BEGIN CERTIFICATE-----
(output ommited)
-----END CERTIFICATE-----",
"used_by" : [ {
"node_id" : "74af0842-d9f9-XXXX-XXXX-XXXXXXXXX", <--- node using the certificate
"id" : "04106cfd-0c23-XXXX-XXXX-XXXXXXXXX", <--- certificate ID
"display_name" : "mp-cluster certificate for node nsx-mngr-01.corp.local",
"tags" : [ ],
"_create_user" : "system",
"_create_time" : 1563623896904,
"_last_modified_user" : "system",
"_last_modified_time" : 1563623896959,
"_system_owned" : false,
"_protection" : "NOT_PROTECTED",
"_revision" : 2
}
Note: {cert-id} can be obtained from the NSX-T UI in System > Certificates.
- The GET /api/v1/cluster/nodes/{node-id} REST API confirms the node is not using the certificate:
Note: {node-id} can be obtained from the above certificate API.
Environment
VMware NSX-T Data Center 2.x
VMware NSX-T Data Center 3.x
VMware NSX 4.x
Cause
This issue occurs because the NSX Manager does not release the certificate automatically.
Resolution
This behavior is a workflow error, if there is a reference object mapped to the certificate, deletion of certificate will not be feasible.
Workaround:
To work around this issue, contact Broadcom Support and note this Article ID (319133) in the problem description.
Feedback
thumb_up
Yes
thumb_down
No