This is a known issue impacting VMware NSX.
Workaround:
- Identify the certificate which is preventing the reverse proxy service to start, you can use the following API to retrieve all certificates:
GET /api/v1/trust-management/certificates
- Then note which one uses the service_type CLIENT_AUTH.
- For each of these, check the length of the certificate, excluding "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----", so all characters in between these headers.
- If you find one which has a multiple of 253, then remove this certificate, you can use the following API as root user on the NSX-T manager to delete the certificate:
curl -H "x-nsx-username: admin" -X DELETE http://127.0.0.1:7440/nsxapi/api/v1/trust-management/certificates/<cert-id>
- Where '<cert-id>' is the ID of the certificate which was identified as having a length of multiples of 253 and using service_type CLIENT_AUTH.
- Once the certificate is removed, the service should start again.
- If it occurred during an upgrade, you should now be able to proceed with the upgrade.
Note: If you are using Federation and the certificate is assigned to a PI account used by one of the sites, do not use the delete API above. Please follow the administration guide to replace the site certificate, this will automatically update the certificate used by the PI for that site.