Adding a new compute manager in NSX-T fails with a 7061 error
search cancel

Adding a new compute manager in NSX-T fails with a 7061 error

book

Article ID: 322546

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

Symptoms:
  • You are trying to add a new compute manager (vCenter Server) to the NSX-T manager cluster, but this fails error code 7061
  • In the NSX-T manager cm-inventory.log you see the following ERROR:
2021-11-12T15:56:41.601Z ERROR http-nio-127.0.0.1-7443-exec-3 VcPlugin - SYSTEM [nsx@6876 comp="nsx-manager" errorCode="MP40106" level="ERROR" subcomp="cm-inventory"] Unable to login with username password for 192.168.1.253
com.vmware.vim.vmomi.client.exception.SslException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.
 at com.vmware.vim.vmomi.client.common.impl.ResponseImpl.setError(ResponseImpl.java:261) ~[vlsi-client-7.0.1.8343824.jar:?]
 at com.vmware.vim.vmomi.client.http.impl.HttpExchangeBase.setResponseError(HttpExchangeBase.java:311) ~[vlsi-client-7.0.1.8343824.jar:?]
 at com.vmware.vim.vmomi.client.http.impl.HttpExchange.invokeWithinScope(HttpExchange.java:57) ~[vlsi-client-7.0.1.8343824.jar:?]


Environment

VMware NSX-T Data Center

Cause

This happens when the certificate used by the compute manager is invalid, this may be due to a missing certificate in the chain or incorrect order of the chain. In the above example the intermediate certificate was missing from the certificate chain presented by the compute manager.

Resolution

The compute manager certificate needs to be validated and fixed.
The following steps can be used:
You can obtain cert chain from VC using command:
 # openssl s_client -showcerts -debug -connect <VC-IP>:443

Validate the cert chain using any certificate checking resource.  
One recommended resource is the following website: https://tools.keycdn.com/ssl
In NSX-T Data Center 3.1.1 and onwards, the error message displayed in such scenario has been improved:
"Certificate chain of Compute Manager is invalid. Please check Issuer and Subject in the chain."


Workaround:
Correct the certificate used by the compute manager.