"Failed to load requested application. Please try refreshing the browser or contact support if the problem persists." error accessing NSX Intelligence
search cancel

"Failed to load requested application. Please try refreshing the browser or contact support if the problem persists." error accessing NSX Intelligence

book

Article ID: 320981

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:
When loading the "Plan & Troubleshoot" page in NSX intelligence, you experience these symptoms:
  • The Application server fails to fulfill request.
  • The NSX-T Intelligence agent rejects any admin user attempts.
  • You get the error:

    Failed to load requested application. Please try refreshing the browser or contact support if the problem persists.


Environment

VMware NSX-T Data Center 2.5.x

Cause

This issue occurs due to incomplete or incorrect certificate exchange when cluster certificate gets changed in NSX Unified Appliance.

Resolution

This is a known issue affecting:
  • VMware NSX-T Data Center 2.5.1 with NSX Intelligence 1.0.1.
  • VMware NSX-T Data Center 2.5.2 with NSX Intelligence 1.0.0.
  • VMware NSX-T Data Center 2.5.2 with NSX Intelligence 1.0.1.
  • VMware NSX-T Data Center 2.5.2 with NSX Intelligence 1.1.0.
Currently, there is no resolution.

Workaround:
To work around this issue, if a user replaces the cluster certificate in NSX-T unified appliance:
  1. Log in to all three NSX-T unified appliance nodes using admin and restart the services manager and policy on every node.

    restart service manager
    restart service policy 
     
  2. After the management cluster status is stable, obtain the certificate ID value from the new certificate:

    (i) In NSX-T unified appliance User Interface, navigate to System > Certificates and click on the ID column for the newly added cluster certificate.

    (ii) Copy the certificate ID from the pop-up window.
     
  3. Obtain the pem_encoded field from the new certificate through the API:

    (i) Use the following API GET:

    GET https://{{nsx_ua_server}}/api/v1/trust-management/certificates/{{certificate ID from previous step}}

    (ii) From the resulting JSON, copy the value for field pem_encoded, excluding the double quotes.
     
  4. Add the new certificate to the client truststore and kafka broker truststore on the NSX Intelligence appliance.

    (i) Using SSH, log in to the NSX Intelligence appliance.

    ssh root@<nsx-intelligence-appliance-ip>
    export NEW_CERT_FILE=/root/new_cert.pem
    export HTTP_CERT_PWD_FILE=/config/http/.http_cert_pw
    export HTTP_CERT_PW=$(cat $HTTP_CERT_PWD_FILE)
    export CLIENT_TRUSTSTORE_FILE="/home/secureall/secureall/.store/.client_truststore"
    export KAFKA_TRUSTSTORE_FILE="/home/secureall/secureall/.store/.kafka_broker_truststore"

    (ii) Paste in the new pem_encoded field from the JSON:

    cat > $NEW_CERT_FILE
    -----BEGIN CERTIFICATE-----
    <pem_encoded field contents>
    -----END CERTIFICATE-----

    (iii) Execute sed to replace newline chars \n with actual newlines.

    sed 's/\\n/\
    /g' -i $NEW_CERT_FILE

    (iv) In case the cluster certificate is a CA signed certificate, there will be multiple "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" in NEW_CERT_FILE. Split them into separate files. Skip this step if the cluster certificate is a self-signed certificate.

    csplit -f 'new_cert_' -b '%01d.pem' -z -s new_cert.pem -- '/-----BEGIN CERTIFICATE-----/' '{*}'

    Typically there will be three or more new files generated. Export all file paths accordingly:

    export NEW_CERT_FILE_0=/root/new_cert_0.pem
    export NEW_CERT_FILE_1=/root/new_cert_1.pem
    export NEW_CERT_FILE_2=/root/new_cert_2.pem

    (v) If the cluster certificate is a self-signed certificate, insert the new certificate into client truststore and kafka broker truststore, using a user-defined alias.
    keytool -import -alias "nsx-manager-certificate mp-cluster" -file $NEW_CERT_FILE -keystore $CLIENT_TRUSTSTORE_FILE -storepass $HTTP_CERT_PW -noprompt
    keytool -import -alias "nsx-manager-certificate mp-cluster" -file $NEW_CERT_FILE -keystore $KAFKA_TRUSTSTORE_FILE -storepass $HTTP_CERT_PW -noprompt

     If the cluster certificate is a CA signed certificate, insert all the certificates into client truststore and kafka broker truststore, using user-defined aliases. There is a difference between $NEW_CERT_FILE_0 and others.
    keytool -import -alias "nsx-manager-certificate mp-cluster 0" -file $NEW_CERT_FILE_0 -keystore $CLIENT_TRUSTSTORE_FILE -storepass $HTTP_CERT_PW -noprompt

    If this command fails with error - "keytool error: java.lang.Exception: Certificate not imported, alias <nsx-manager-certificate mp-cluster 0> already exists", delete existing certificate using below command and run above command again -
    keytool -delete -alias "nsx-manager-certificate mp-cluster 0" -file $NEW_CERT_FILE_0 -keystore $CLIENT_TRUSTSTORE_FILE -storepass $HTTP_CERT_PW -noprompt

    keytool -import -trustcacerts -alias "nsx-manager-certificate mp-cluster 1" -file $NEW_CERT_FILE_1 -keystore $CLIENT_TRUSTSTORE_FILE -storepass $HTTP_CERT_PW -noprompt
    keytool -import -trustcacerts -alias "nsx-manager-certificate mp-cluster 2" -file $NEW_CERT_FILE_2 -keystore $CLIENT_TRUSTSTORE_FILE -storepass $HTTP_CERT_PW -noprompt
    keytool -import -alias "nsx-manager-certificate mp-cluster 0" -file $NEW_CERT_FILE_0 -keystore $KAFKA_TRUSTSTORE_FILE -storepass "$HTTP_CERT_PW" -noprompt

    If this command fails with error - "keytool error: java.lang.Exception: Certificate not imported, alias <nsx-manager-certificate mp-cluster 0> already exists", delete existing certificate using below command and run above command again -
    keytool -delete -alias "nsx-manager-certificate mp-cluster 0" -file $NEW_CERT_FILE_0 -keystore $KAFKA_TRUSTSTORE_FILE -storepass "$HTTP_CERT_PW" -noprompt

    keytool -import -trustcacerts -alias "nsx-manager-certificate mp-cluster 1" -file $NEW_CERT_FILE_1 -keystore $KAFKA_TRUSTSTORE_FILE -storepass "$HTTP_CERT_PW" -noprompt
    keytool -import -trustcacerts -alias "nsx-manager-certificate mp-cluster 2" -file $NEW_CERT_FILE_2 -keystore $KAFKA_TRUSTSTORE_FILE -storepass "$HTTP_CERT_PW" -noprompt

    (vi) Verify the certificates were successfully added:

    keytool -list -v -keystore $CLIENT_TRUSTSTORE_FILE -storepass $HTTP_CERT_PW -noprompt
    keytool -list -v -keystore $KAFKA_TRUSTSTORE_FILE -storepass $HTTP_CERT_PW -noprompt
                
    Using SSH, log in to the NSX Intelligence appliance and restart proxy, kafka & nsx-config services:

    systemctl restart proxy
    systemctl restart kafka
    systemctl restart nsx-config
    systemctl restart processing

    You should now be able to refresh the "Plan & Troubleshoot" page and view the flow information as before in NSX-T unified appliance User Interface.


Powered by Wolken Software