After the vCenter Server certificate is replaced, the compute manager connection is "Down" in the NSX UI
search cancel

After the vCenter Server certificate is replaced, the compute manager connection is "Down" in the NSX UI

book

Article ID: 323341

calendar_today

Updated On: 01-08-2025

Products

VMware NSX

Issue/Introduction

  • You have replaced the vCenter Server certificate
  • In the NSX UI:
    1. Navigate to System > Fabric > Compute Manager
    2. Verify 'Down' in Connection Status
    3. Click Down in Connection Status column
    4. You should see an error similar to: Compute Manager <Compute Manager Host Name> cannot be connected, as its thumbprint does not match. Please edit compute manager details if thumbprint is changed. ​​​
  • In the NSX /var/log/cm-inventory/cm-inventory.log, you see entries similar to:
    <date><>  INFO inventoryTasksScheduler4 CmInventoryService 7538 FABRIC [nsx@6876 comp="nsx-manager" level="INFO" subcomp="cm-inventory"] Retrieved cm config info from cm plugin instance, cmPluginStatusData= CmPluginStatusData{id=<id>, server=<server name>.<domain>, cmPluginStatus=CmPluginStatusInfo{status=FAILED, cmConnectionStatus=DOWN, errors=[{"moduleName":"cm-inventory","errorCode":40107,"errorMessage":"Unable to connect to Compute Manager <server name>.<domain>. Please edit compute manager details if FQDN or thumbprint is changed. If the issue persists, please check whether the https port 443 and http port 80 are open in the firewall on all NSX nodes."}, {"moduleName":"cm-inventory","errorCode":40118,"errorMessage":"Compute Manager <server name>.<domain> can not be connected, as its thumbprint does not match. Please edit compute manager details if thumbprint is changed."}]}}

Environment

VMware NSX-T Data Center
VMware NSX

Cause

This problem occurs because the thumbprint of the certificate that NSX Manager holds is different from the updated thumbprint following the replacement of the vCenter Server certificate

Resolution

To restore Compute Manager connection:

  1. Navigate to System > Fabric > Compute Manager
  2. Select Compute Manager and Edit
  3. Enter correct thumbprint in "SHA-256 thumbprint" and Save

Alternatively, you can leave "SHA-256 thumbprint" and SAVE. The UI will show an error message with the thumbprint.
For example:
Cannot register compute manager, server thumbprint is blank or empty. Found thumbprint ##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:## for server. If correct, please re-submit with this thumbprint (Error code: 7049)



To check the thumbprint in the vCenter Server Appliance Shell, run the following command:
echo | openssl s_client -connect localhost:443 2>/dev/null | openssl x509 -noout -fingerprint -sha256

Output Example:
Fingerpint=##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##

If the thumbprint in the NSX dialog box does match the thumbprint from the vCenter Server and you are still receiving the same error, try to edit the vCenter Server compute  manager in the same NSX dialog box using the IP address(or if it was vCenter Server's IP address originally, then try the FQDN ). This will force the NSX Manager to query the vCenter Server for the thumbprint instead of comparing the cached thumbprint.

Additional Information

If "HTTPS port of Reverse Proxy" is 0, you can not update the compute manager settings due to the issue noted in A Non embedded OVA is used when deploying an embedded deployment of NSX-T.