NSX-T generates alerts 'Couldn't get LDAP context from URI'
search cancel

NSX-T generates alerts 'Couldn't get LDAP context from URI'

book

Article ID: 322450

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

Symptoms:
  • You are using certificates with no CRL (Certificate Revocation List) configured.
  • The following logs entries are generated in the NSX-T manager syslog: 
2023-01-16T08:18:58.521Z nsx1.corp.local NSX 4552 SYSTEM [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="manager"] Couldn't get LDAP context from URI ldap:///CN=Corp%20AB%20Issuing%20CA4,CN=test1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dom,DC=corp,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
2023-01-16T08:18:58.521Z nsx1.corp.local NSX 4552 SYSTEM [nsx@6876 comp="nsx-manager" errorCode="MP2062" level="ERROR" subcomp="manager"] Unexpected NullPointerException while fetching CRL: null
  • The above log entries may also be seen on external logging server.
  • Using the following API call to the NSX-T manager, we see CRL checking is disabled:
GET https://<manager>/api/v1/global-configs/SecurityGlobalConfig
Result:
...
" crl_checking_enabled": false,
...


Environment

VMware NSX-T Data Center

Cause

Due to an issue with NSX-T manager caching, the crl_checking_enabled flag is not being checked.

Resolution

This is a known issue in NSX-T datacenter.

Workaround:
This issue has no functional impact.
If you wish to avoid receiving these log entries, you can remove the CRL CDP (CRL Distribution Point) from NSX-T.
Use the following API to get the list of CDP's:
GET /api/v1/trust-management/crl-distribution-points
From the results returned, use the ID in the following DELETE API call:
DELETE /api/v1/trust-management/crl-distribution-points\<cdp-id>
Repeat above steps for each CDP you wish to remove.

Powered by Wolken Software