Symptoms:
- Before replacing vCenter certificate, the vCenter as Compute Manager was registered in NSX-T Manager with the option "Enable Trust" as Enabled and the registration was UP.
- After replacing the vCenter certificate, you observed that the Compute Manager is showing "DOWN" and you have followed the procedure described on this KB article to update vCenter's new certificate's thumbprint inside the compute manager in NSX-T.
Note: Before replacing the old certificate thumbprint with new certificate thumbprint of vCenter in NSX-T Manager, please take a note of the old certificate's thumbprint of vCenter (Let's call it "A").You can get this details on NSX-T Manager: System > Fabric > Compute Managers > edit the Compute Manager
- But with the option "Enable Trust" as toggled ON, when you are trying to save, you are getting error similar to,
- With the option "Enable Trust" as toggled OFF, you can save the page and the compute manager connectivity comes back UP. "Enable Trust" option creates a 2 way trust between NSX-T Manager and vCenter. This feature is useful for services running in vCenter Server like Tanzu or vSphere Lifecycle Manager.
- From root CLI, in the NSX-T Manager /var/log/proton/nsxapi.log you are seeing alert similar to,
2023-01-05T05:04:24.530Z ERROR http-nio-127.0.0.1-7440-exec-29 CmInventoryService 6190 FABRIC [nsx@6876 comp="nsx-manager" errorCode="MP90002" level="ERROR" reqId="3d285021-3fc2-4a0a-9b18-47bbcf789eda" subcomp="manager" username="admin"] Compute manager x.x.x.x failed to get enabled as auth server
- Please take a note of the new certificate's thumbprint of vCenter certificate (Let's call it as "B").
Note: you can obtain this using the below command.
echo | openssl s_client -connect <vCenter IP or FQDN>:443 2>/dev/null | openssl x509 -noout -fingerprint -sha256
- From root CLI, in the NSX-T Manager /var/log/proton/, search for the following pattern,
grep "auth server details returned" nsxapi.log You should see logs similar to,
2023-01-05T05:04:24.481Z INFO http-nio-127.0.0.1-7440-exec-29 CmInventoryService 6190 FABRIC [nsx@6876 comp="nsx-manager" level="INFO" reqId="3d285021-3fc2-4a0a-9b18-47bbcf789eda" subcomp="manager" username="admin"] compute manager <<Compute Manager's UUID>> auth server details returned CmAuthServerDetail{oidcUrl='https://<x.x.x.x>/openidconnect/vsphere.local/.well-known/openid-configuration', thumbprint='8d576a790eb9e3d1f3c977494773c5f66879314fde4b24839090f7bc1f73e849', cmVersion='7.0.3'}
Note the "thumbprint" value from the above output.
- If you see the above obtained "thumbprint" value is matching "A" value taken earlier which was the thumbprint of vCenter's old certificate, that means all the certificate components on vCenter was not properly replaced. Thus, vCenter is still providing the old certificate's thumbprint for it's 'openid-configuration' to NSX-T Manager.