After VMware vCenter Server certificate is replaced, compute manager connection is "Down" on NSX UI
search cancel

After VMware vCenter Server certificate is replaced, compute manager connection is "Down" on NSX UI

book

Article ID: 323341

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

Symptoms:

  • You have replaced vCenter Server certificates with certificate-manager
  • On the NSX UI:
    1. Navigate to System > Fabric > Compute Manager
    2. Verity 'Down' in Connection Status
    3. Click Down in Connection Status column
    4. Check if you see Error similar to:
Compute Manager {Compute Manager Host Name} cannot be connected, as its thumbprint does not match. Please edit compute manager details if thumbprint is changed. ​​​
  • In the /var/log/cm-inventory/cm-inventory.log, you see entries similar to:
<date><>  INFO inventoryTasksScheduler4 CmInventoryService 7538 FABRIC [nsx@6876 comp="nsx-manager" level="INFO" subcomp="cm-inventory"] Retrieved cm config info from cm plugin instance, cmPluginStatusData= CmPluginStatusData{id=<id>, server=<server name>.<domain>, cmPluginStatus=CmPluginStatusInfo{status=FAILED, cmConnectionStatus=DOWN, errors=[{"moduleName":"cm-inventory","errorCode":40107,"errorMessage":"Unable to connect to Compute Manager <server name>.<domain>. Please edit compute manager details if FQDN or thumbprint is changed. If the issue persists, please check whether the https port 443 and http port 80 are open in the firewall on all NSX nodes."}, {"moduleName":"cm-inventory","errorCode":40118,"errorMessage":"Compute Manager <server name>.<domain> can not be connected, as its thumbprint does not match. Please edit compute manager details if thumbprint is changed."}]}}



Environment

VMware NSX-T Data Center 3.x
VMware NSX-T Data Center

Cause

This issue occurs because certificate thumbprint that NSX Manager knows differs from the new certificate thumbprint after replacement by certificate-manager.

Resolution

To restore compute manager connection:

  1. Navigate to System > Fabric > Compute Manager
  2. Select compute manager and Edit
  3. Enter correct thumbprint in "SHA-256 thumbprint" and Save

Alternatively, you can leave "SHA-256 thumbprint" and SAVE. UI will show some error but the error message with thumbprint.
For example:
Cannot register compute manager, server thumbprint is blank or empty. Found thumbprint ##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:## for server. If correct, please re-submit with this thumbprint (Error code: 7049)



To check thumbprint in vCenter Server Appliance Shell, run following command:
echo | openssl s_client -connect localhost:443 2>/dev/null | openssl x509 -noout -fingerprint -sha256

Output Example:
Fingerpint=##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##

If the thumbprint in the NSX dialog box does match the thumbprint from vCenter and still receiving the same error, then try to register vCenter in the same NSX dialog box using using IP address(or if it was vCenter's IP address originally, then try FQDN instead). This will force NSX Manager to query vCenter for the thumbprint instead of comparing cached thumbprints.

Powered by Wolken Software