NSX-T generates alerts 'Couldn't get LDAP context from URI'
Article ID: 322450
Updated On:
Products
VMware NSX
Issue/Introduction
- The following logs entries are generated in the NSX-T manager syslog:
2023-01-16T08:18:58.521Z nsx1.corp.local NSX 4552 SYSTEM [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="manager"] Couldn't get LDAP context from URI ldap:///CN=Corp%20AB%20Issuing%20CA4,CN=test1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dom,DC=example,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint2023-01-16T08:18:58.521Z nsx1.example.comNSX 4552 SYSTEM [nsx@6876 comp="nsx-manager" errorCode="MP2062" level="ERROR" subcomp="manager"] Unexpected NullPointerException while fetching CRL: null- The above log entries may also be seen on external logging server.
- Using the following API call to the NSX-T manager, we see CRL checking is disabled:
GET https://<manager>/api/v1/global-configs/SecurityGlobalConfigResult:..." crl_checking_enabled": false,...Environment
VMware NSX-T Data Center 3.x
VMware NSX 4.x
You are using certificates with no CRL (Certificate Revocation List) configured.
Cause
Due to an issue with NSX-T manager caching, the crl_checking_enabled flag is not being checked.
Resolution
This issue is resolved in VMware NSX 4.2.0
Workaround:
This issue has no functional impact.
If you wish to avoid receiving these log entries, you can remove the CRL CDP (CRL Distribution Point) from NSX-T.
Use the following API to get the list of CDP's:
GET /api/v1/trust-management/crl-distribution-pointsFrom the results returned, use the ID in the following DELETE API call:
DELETE /api/v1/trust-management/crl-distribution-points\<cdp-id>Repeat above steps for each CDP to be removed.
Feedback
Yes
No
Powered by
