NSX-T Federation assigning Certificate to Local Manager fails with "Expected 1 local site certificate with service type LOCAL_MANAGER but found 0."
search cancel

NSX-T Federation assigning Certificate to Local Manager fails with "Expected 1 local site certificate with service type LOCAL_MANAGER but found 0."

book

Article ID: 322422

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

Symptoms:
  • You are using NSX-T Federation.
  • The certificate for the Local Manager has expired.
  • You removed this expired Local manager certificate.
  • Or you are looking to replace a local manager certificate and first removed the old one.
  • Attempting to assign a new certificate to the Local manager with the below API fails:
POST https://<nsx-mgr>/api/v1/trust-management/certificates/<cert-id>?action=apply_certificate&service_type=LOCAL_MANAGER
  • Error observed on failure:
"Expected 1 local site certificate with service type LOCAL_MANAGER but found 0."


Environment

VMware NSX-T

Cause

This issue occurs when the original local manager certificate was removed before the new one was applied.

Resolution

Create a new Certificate and Reserve it solely for Local Manager.

Obtain the Site ID on the local manager, as root user:
cd /config/site-manager 
cat siteId -> this is the site ID for the local manager.

Then with the site ID and certificate ID for the new certificate, run the following API to reserve the new certificate for the Local manager site as root user: 
curl -X POST -H "Content-Type: application/json" -H 'X-NSX-Username:admin' -d '{"service_type":"LOCAL_MANAGER","node_id":"<site-id>"}' "http://127.0.0.1:7440/nsxapi/api/v1/trust-management/certificates/<cert-id>?action=reserve"

Note: Please review the Administration guide or further details on replacing a Federation certificate.

Additional Information

Impact/Risks:
Unable replace the Local Manager Certificate.

Powered by Wolken Software