VMware NSX LDAPS server connection not working POST upgrade to VMware NSX 4.1.X
Article ID: 322617
Updated On:
Products
VMware NSX
Issue/Introduction
Symptoms:
- You recently upgraded NSX-T to 4.1.1 or above.
- You have an LDAPS server configured.
- After the upgrade the LDAPS server connection is in a failed state.
- In the VMware NSX manager /var/log/syslog and /var/log/proton/nsxapi.log, you see errors similar to the below:
WARN http-nio-127.0.0.1-7440-exec-2 CdpCrlChecker 4477 SYSTEM [nsx@6876 comp="nsx-manager" level="WARNING" reqId="xxxxxxxx-dbca-4718-ba7f-xxxxxxxxxxxx" subcomp="manager" username="admin"] CRL CN=XXXXXX,DC=XXXXXX,DC=XXXXXX,DC=XXX is signed with OID 1.2.840.113549.1.1.10
Environment
VMware NSX-T Data Center
VMware NSX 4.x
Cause
VMware NSX supports the following signature algorithms to be used for signing:
AlgorithmId.sha256WithRSAEncryption_oid ( 1, 2, 840, 113549, 1, 1, 11)
AlgorithmId.sha256WithDSA_oid (2, 16, 840, 1, 101, 3, 4, 3, 2)
AlgorithmId.sha256WithECDSA_oid (1, 2, 840, 10045, 4, 3, 2)
AlgorithmId.sha384WithECDSA_oid (1, 2, 840, 10045, 4, 3, 3)
AlgorithmId.sha384WithRSAEncryption_oid (1, 2, 840, 113549, 1, 1, 12)
AlgorithmId.sha512WithECDSA_oid (1, 2, 840, 10045, 4, 3, 4)
AlgorithmId.sha512WithRSAEncryption_oid (1, 2, 840, 113549, 1, 1, 13)
The certificate used to sign the CRL did not use one of the above signatures.
AlgorithmId.sha256WithRSAEncryption_oid ( 1, 2, 840, 113549, 1, 1, 11)
AlgorithmId.sha256WithDSA_oid (2, 16, 840, 1, 101, 3, 4, 3, 2)
AlgorithmId.sha256WithECDSA_oid (1, 2, 840, 10045, 4, 3, 2)
AlgorithmId.sha384WithECDSA_oid (1, 2, 840, 10045, 4, 3, 3)
AlgorithmId.sha384WithRSAEncryption_oid (1, 2, 840, 113549, 1, 1, 12)
AlgorithmId.sha512WithECDSA_oid (1, 2, 840, 10045, 4, 3, 4)
AlgorithmId.sha512WithRSAEncryption_oid (1, 2, 840, 113549, 1, 1, 13)
The certificate used to sign the CRL did not use one of the above signatures.
Resolution
None, this issue is due to incorrectly signed CRL certificate, which are not supported by VMware NSX.
Workaround:
You can disable CRL checking, which will prevent the connection from failing when checking the CRL of the certificate used by the LDAPS server.
Use the API call:
Workaround:
You can disable CRL checking, which will prevent the connection from failing when checking the CRL of the certificate used by the LDAPS server.
Use the API call:
GET https://{{ip}}/policy/api/v1/infra/security-global-config
And change the value for "crl_check_enabled" from true to false and USE the returned data, with edit in the following POST API call:
PUT https://{{ip}}/policy/api/v1/infra/security-global-config
Feedback
Yes
No
Powered by
