Failed to enable trust on Compute Manager in NSX
Article ID: 320301
Updated On:
Products
VMware NSX
Issue/Introduction
- NSX manager is deployed using vCenter plugin.
- After updating the vCenter certificate, the NSX Manager UI is no longer loading in vCenter.
- Updating the Compute Manager configuration fails, with the following error:
"Failed to enable trust on Compute Manager due to error There already exists an OIDC end-point with issuer (Error code:90011)"
Environment
VMware NSX 4.x
VMware NSX-T Data Center 3.x
Cause
The issue is due to a stale vCenter thumbprint entry in the NSX Manager DB.
Resolution
This is a condition that may occur in a VMware NSX environment.
Workaround
Delete stale thumbprint entry and update new entry using API using the following steps
- Get vCenter thumbprint
root@vcsa-01 [ ~ ]# openssl s_client -connect <vcenter-ip/fqdn>:443 </dev/null 2>/dev/null | openssl x509 -fingerprint -sha256 -noout -in /dev/stdin
Get SHA256 Fingerprint. - Use Postman or any REST API client and run the below GET API call:
GET /api/v1/trust-management/oidc-uris
The response should be200 OK
Retrieve the following values from the output:oidc_uri": "https://vcsa-01.corp.local/openidconnect/vsphere.local/.well-known/openid-configuration","thumbprint": "ad45d34bfdbaecb42d2XXXXXXXXXXXXXXXXX","oidc_type": "vcenter","id": "ed1e58d0XXXXXXXXXXXX1111a837a26e", - Delete the old entry using the following API call:
DELETE /api/v1/trust-management/oidc-uris/<enter-id-here>
Example-https://<nsx-manager-ip>/api/v1/trust-management/oidc-uris/ed1e58d0XXXXXXXXXXXX1111a837a26e - Update oidc using the following API call,
POST /api/v1/trust-management/oidc-uris/
In the body enter the following,{"oidc_type": "As_per_output_of_GET_in_Step_2","oidc_uri": "As_per_output_of_GET_in_Step_2","thumbprint": "New_vcenter_thumbprint_as_per_output_in_Step_1"}
The response should be201 Created
Feedback
Yes
No
Powered by
