Replacing NSX-T certificate with CA signed certificates through SDDC Manager fails with "Data type mismatch, expected certificate_signed but received certificate_ca"..."
search cancel

Replacing NSX-T certificate with CA signed certificates through SDDC Manager fails with "Data type mismatch, expected certificate_signed but received certificate_ca"..."

book

Article ID: 324588

calendar_today

Updated On:

Products

VMware Cloud Foundation VMware NSX

Issue/Introduction

Symptoms:

  • In SDDC Manager, certificate replacement fails with below error:

Failed to replace certificate for nsxt_fqdn due to: 400 : "{<EOL> "httpStatus" : "BAD_REQUEST",<EOL> "error_code" : 2007,<EOL> "module_name" : "internal-framework",<EOL> "error_message" : "Data type mismatch, expected certificate_signed but received certificate_ca."<EOL>}"

  • In /var/log/vmware/vcf/operationsmanager/operationsmanager.log, you see entries similar to:

2022-08-30T07:03:32.668+0000 ERROR [vcf_om,9b6ea2e9dbea41b7,4179] [c.v.v.c.n.NsxTManagerCertificatePlugin,om-exec-29] 400 : "{<EOL>  "httpStatus" : "BAD_REQUEST",<EOL>  "error_code" : 2007,<EOL>  "module_name" : "internal-framework",<EOL>  "error_message" : "Data type mismatch, expected certificate_signed but received certificate_ca."<EOL>}"

  • In NSX Manager or VCF Fleet Manager, you may observed the following error message in the /var/log/syslog file:

{"httpStatus":"BAD_REQUEST","error_code":6111,"module_name":"internal-framework","error_message":"Attempt to import a CA certificate for a non-CA CSR."} 

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Environment

VMware Cloud Foundation

VMware NSX

Cause

This issue occurs if the NSX-T server Certificate is not compliant with the requirements.

Resolution

NSX- T certificates have the following requirements:

  • Server certificate (nsxt_fqdn.crt) must contain the Basic Constraints field with value CA:FALSE.
  • Root CA certificate chain file (rootca.crt), intermediate certificates, and root certificate must contain the Basic Constraints field with value CA:TRUE

To verify if the certificate is complaint with the requirements, review the NSX-T server certificate using openssl

  • On any system with openssl installed, use the command:
openssl x509 -in <path_to_NSXT_certificate_file> -noout -text
  • On the SDDC Manager, use the below command:

openssl x509 -in /opt/vmware/vcf/operationsmanager/certificates/<domain_name>/<nsxt_fqdn>/<nsxt_fqdn>.crt -noout -text

Note: Domain_name is the workload domain for which certificate replacement failed

  • Under X509v3 Basic Constraints, check the CA bit value.
  • For valid NSX-T Server certificate, the CA bit value should be CA:FALSE
For example:

            X509v3 Basic Constraints: critical
                CA:FALSE

  • Re-generate the NSX-T server certificates if Basic Constraints field is set to CA:TRUE



Additional Information

For more information, see the "Install Third-Party CA-Signed Certificates" section of VMware Cloud Foundation Documentation

Powered by Wolken Software