After the vCenter Server certificate is replaced, the compute manager connection is "Down" in the NSX UI
search cancel

After the vCenter Server certificate is replaced, the compute manager connection is "Down" in the NSX UI

book

Article ID: 323341

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Unable to successfully have NSX configured on new ESXi hosts and the process will fail with an error message stating "Error: There was an unexpected error occurred while fetching Physical NICs for the host. Please manually enter nic to proceed. (Error code: #####)"
  • You have replaced the vCenter Server certificate
  • In the NSX UI:
    1. Navigate to System > Fabric > Compute Manager
    2. Verify 'Down' in Connection Status
    3. Click Down in Connection Status column
    4. You should see an error similar to: Compute Manager <Compute Manager Host Name> cannot be connected, as its thumbprint does not match. Please edit compute manager details if thumbprint is changed. ​​​
  • In the NSX /var/log/cm-inventory/cm-inventory.log, you see entries similar to:
    <date><>  INFO inventoryTasksScheduler4 CmInventoryService 7538 FABRIC [nsx@6876 comp="nsx-manager" level="INFO" subcomp="cm-inventory"] Retrieved cm config info from cm plugin instance, cmPluginStatusData= CmPluginStatusData{id=<id>, server=<name/IP>, cmPluginStatus=CmPluginStatusInfo{status=FAILED, cmConnectionStatus=DOWN, errors=[{"moduleName":"cm-inventory","errorCode":40107,"errorMessage":"Unable to connect to Compute Manager <name/IP>. Please edit compute manager details if FQDN or thumbprint is changed. If the issue persists, please check whether the https port 443 and http port 80 are open in the firewall on all NSX nodes."}, {"moduleName":"cm-inventory","errorCode":40118,"errorMessage":"Compute Manager <name/IP> can not be connected, as its thumbprint does not match. Please edit compute manager details if thumbprint is changed."}]}}


<date><> INFO inventoryTasksScheduler6 CmPluginStateManager ##### SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="cm-inventory"] Cm Plugin info found for cm ########-####-####-####-###########. Plugin Info:ComputeManagerPluginInfo{id='########-####-####-####-###########', server=<name/IP>, name='null', description='null', originType='vCenter', version='#.#.#', cmPluginStatus='ComputeManagerPluginStatus{cmId='########-####-####-####-###########', originType='vCenter', cmConnectionStatus='DOWN', cmConnectionStatusDetails='null', pluginStatus='FAILED', errors='[{"moduleName":"cm-inventory","errorCode":40107,"errorMessage":"Unable to connect to Compute Manager <name/IP>. Please edit compute manager details if FQDN or thumbprint is changed. Please check if compute manager certificate is valid and not revoked. If the issue persists, please check whether the https port 443 and http port 80 are open in the firewall on all NSX nodes."}, {"moduleName":"cm-inventory","errorCode":40118,"errorMessage":"Compute Manager <name/IP> cannot be connected, as its thumbprint does not match. Please edit compute manager details if thumbprint is changed."}]', warnings='[]'}', additionalInfo='[]'} . Plugin Status : FAILED
  • In the NSX UI, the vCenter compute manager is showing as disconnected

Environment

  • VMware NSX-T Data Center
  • VMware NSX

Cause

This problem occurs because the thumbprint of the certificate that NSX Manager holds is different from the updated thumbprint.
The thumbprint of the certificate will change only when the certificate itself is replaced.
This may be from  following the replacement of the vCenter Server certificate using vCert - expired certificate replacement script

Resolution

To restore the Compute Manager connection:

  1. Navigate to System > Fabric > Compute Manager
  2. Select Compute Manager and Edit
  3. Click on Save
  4. The "Thumbprint is missing" warning popup will be displayed if the provided thumbprint is incorrect
  5. Validate the presented thumbprint in the popup window and Add

    To check the thumbprint in the vCenter Server Appliance Shell, run the following command:

echo | openssl s_client -connect localhost:443 2>/dev/null | openssl x509 -noout -fingerprint -sha256

Fingerprint=##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##

Additional Information

If "HTTPS port of Reverse Proxy" is 0, you can not update the compute manager settings due to the issue noted in "Field level validation errors: {value 0 of property reverse_proxy_https_port has violated the minimum valid value 1}" when editing compute manager in NSX.

Powered by Wolken Software