After vCenter Certificates are replaced, Compute Manager in NSX-T is Unable to get Registered with the Option "Enable Trust" as Enabled
search cancel

After vCenter Certificates are replaced, Compute Manager in NSX-T is Unable to get Registered with the Option "Enable Trust" as Enabled

book

Article ID: 322036

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

Symptoms:
  • Before replacing vCenter certificate, the vCenter as Compute Manager was registered in NSX-T Manager with the option "Enable Trust" as Enabled and the registration was UP.
  • After replacing the vCenter certificate, you observed that the Compute Manager is showing "DOWN" and you have followed the procedure described on this KB article to update vCenter's new certificate's thumbprint inside the compute manager in NSX-T.
Note: Before replacing the old certificate thumbprint with new certificate thumbprint of vCenter in NSX-T Manager, please take a note of the old certificate's thumbprint of vCenter (Let's call it "A").You can get this details on NSX-T Manager: System > Fabric > Compute Managers > edit the Compute Manager
           image.png
  • But with the option "Enable Trust" as toggled ON, when you are trying to save, you are getting error similar to,
          C) Error: You have 1 Error(s) Collapse Close • Compute manager failed to get enabled as auth serwr due to error Thumbprint mismatch for 8d576a790eb9e3d1f3c977494773c5f66879314fde4b24839090f7bc1f73e849. Check that the thumbprint is correct.. Please check the hostnarne in the url is reachable from nsx. (Error code:
  • With the option "Enable Trust" as toggled OFF, you can save the page and the compute manager connectivity comes back UP. "Enable Trust" option creates a 2 way trust between NSX-T Manager and vCenter. This feature is useful for services running in vCenter Server like Tanzu or vSphere Lifecycle Manager.
  • From root CLI, in the NSX-T Manager /var/log/proton/nsxapi.log you are seeing alert similar to,
2023-01-05T05:04:24.530Z ERROR http-nio-127.0.0.1-7440-exec-29 CmInventoryService 6190 FABRIC [nsx@6876 comp="nsx-manager" errorCode="MP90002" level="ERROR" reqId="3d285021-3fc2-4a0a-9b18-47bbcf789eda" subcomp="manager" username="admin"] Compute manager x.x.x.x failed to get enabled as auth server
  • Please take a note of the new certificate's thumbprint of vCenter certificate (Let's call it as "B").
    Note: you can obtain this using the below command.
    echo | openssl s_client -connect <vCenter IP or FQDN>:443 2>/dev/null | openssl x509 -noout -fingerprint -sha256
     
  • From root CLI, in the NSX-T Manager /var/log/proton/, search for the following pattern,
             grep "auth server details returned" nsxapi.log
             You should see logs similar to, 
2023-01-05T05:04:24.481Z  INFO http-nio-127.0.0.1-7440-exec-29 CmInventoryService 6190 FABRIC [nsx@6876 comp="nsx-manager" level="INFO" reqId="3d285021-3fc2-4a0a-9b18-47bbcf789eda" subcomp="manager" username="admin"] compute manager <<Compute Manager's UUID>> auth server details returned CmAuthServerDetail{oidcUrl='https://<x.x.x.x>/openidconnect/vsphere.local/.well-known/openid-configuration', thumbprint='8d576a790eb9e3d1f3c977494773c5f66879314fde4b24839090f7bc1f73e849', cmVersion='7.0.3'}
 
            Note the "thumbprint" value from the above output.
  • If you see the above obtained "thumbprint" value is matching "A" value taken earlier which was the thumbprint of vCenter's old certificate, that means all the certificate components on vCenter was not properly replaced. Thus, vCenter is still providing the old certificate's thumbprint for it's 'openid-configuration' to NSX-T Manager.


Environment

VMware NSX-T Data Center

Cause

If vCenter's component certificates are not properly replaced it may still provide the old certificate's thumbprint for 'openid-configuration' which is required when "Enable Trust" option is toggled ON, while providing the new certificate's thumbprint when querying for it's HTTPS certificate, i.e.
echo | openssl s_client -connect <vCenter IP or FQDN>:443 2>/dev/null | openssl x509 -noout -fingerprint -sha256

Resolution

To fix the vCenter certificate issues please open up a support request with VMware vCenter support team.

Workaround:
While waiting for applying the permanent fix, to keep the compute manager connectivity as UP from NSX-T side, toggle OFF the "Enable Trust" option and save. Which will make the compute manager connectivity as UP.

Powered by Wolken Software