Adding a new compute manager in NSX-T fails with a 7061 error
search cancel

Adding a new compute manager in NSX-T fails with a 7061 error


Article ID: 322546


Updated On:


VMware NSX Networking


  • You are trying to add a new compute manager (vCenter Server) to the NSX-T manager cluster, but this fails error code 7061
  • In the NSX-T manager cm-inventory.log you see the following ERROR:
2021-11-12T15:56:41.601Z ERROR http-nio- VcPlugin - SYSTEM [nsx@6876 comp="nsx-manager" errorCode="MP40106" level="ERROR" subcomp="cm-inventory"] Unable to login with username password for
com.vmware.vim.vmomi.client.exception.SslException: PKIX path building failed: No issuer certificate for certificate in certification path found.
 at com.vmware.vim.vmomi.client.common.impl.ResponseImpl.setError( ~[vlsi-client-]
 at com.vmware.vim.vmomi.client.http.impl.HttpExchangeBase.setResponseError( ~[vlsi-client-]
 at com.vmware.vim.vmomi.client.http.impl.HttpExchange.invokeWithinScope( ~[vlsi-client-]


VMware NSX-T Data Center


This happens when the certificate used by the compute manager is invalid, this may be due to a missing certificate in the chain or incorrect order of the chain. In the above example the intermediate certificate was missing from the certificate chain presented by the compute manager.


The compute manager certificate needs to be validated and fixed.
The following steps can be used:
You can obtain cert chain from VC using command:
 # openssl s_client -showcerts -debug -connect <VC-IP>:443

Validate the cert chain using any certificate checking resource.  
One recommended resource is the following website:
In NSX-T Data Center 3.1.1 and onwards, the error message displayed in such scenario has been improved:
"Certificate chain of Compute Manager is invalid. Please check Issuer and Subject in the chain."

Correct the certificate used by the compute manager.