After changing the NSX Manager node certificates and Intelligence node certificate, you experience these symptoms:

• Installing or upgrading NSX-T Intelligence 1.2.0 fails.
• The config changes and flows are not reported.

VMware vDefend Firewall

This issue occurs when using NSX-T Intelligence 1.2.0, currently, the IP, thumbprint, and node certificate of the NSX Manager appliance that deploys NSX Intelligence gets saved on the NSX Intelligence appliance. If this NSX Manager appliance is deleted, or its IP address is changed or its node certificate is changed, the info needs to be updated on the NSX Intelligence by calling certain CLI commands. Otherwise, the NSX Intelligence appliance will not be able to complete certain actions after installing or upgrading to version 1.2.0.

To resolve this issue, update the IP address, certificate and thumbprint of the NSX Intelligence appliance.

For example, as part of deployment, the NSX Intelligence appliance is deployed and registered with NSX Manager (IP: 10.10.0.10, thumbprint: old_t, node certificate: old_c).

If this NSX Manager appliance is deleted or its IP/node certificate changed, you need to update the NSX Intelligence appliance with the new or changed NSX Manager appliance information.

1. Collect NSX Manager appliance information.
   
   a. Pick an NSX Manager IP from the UI and log in through SSH to the node as admin user.
   b. Get the node certificate by executing this command on the nsx-cli:
   
   get certificate api
   
   For example:
   
   nsxmanager-1> get certificate api
   -----BEGIN CERTIFICATE-----
   ..cert snipped...
   -----END CERTIFICATE-----
    
2. Update the information on NSX Intelligence node.
   
   a. Log in to NSX Intelligence node through SSH as the admin user.
   b. Get NSX_UA_NODE certificate uuid using this command (search for "used_by": "NSX_UA_NODE" in CLI output):
   
   get intelligence certificates | json
   
   c. Update the NSX Manager node certificate on NSX Intelligence using this command:
   
   set intelligence manager-node <nsx-mgr-ip-address> cert-id <uuid-from-step-2.b>
   
   cert-b64-encoded-pem <certificate-from-step-1.b-in base64-format>
    
3. Optional steps required in certain scenarios:
   
   a. If the above steps were performed during or after upgrade from NSX Intelligence version 1.0.0, update the NSX UA cluster certificate stored on NSX Intelligence.
   
   b. Get the cluster certificate from NSX UA. Call the API on NSX Manager: 
   
   https://{{nsx_ua_server}}/api/v1/trust-management/certificates?type=cluster_api_certificate
    
   c. Get the cluster certificate pem_encoded field in base64 format:
   
   echo -e "<value_of_pem_encoded_from_json_response>" | base64
   LS0tL...snipped...S0KCg==
    
   d. Update the certificate information on NSX Intelligence:
   
   For example:
   
   set intelligence manager-cluster cert-b64-encoded-pem
   <certificate-from-step-3.c-in base64-format>
   
   Note: These steps restarts multiple NSX Intelligence appliance services. After waiting for a brief period of time, refresh your browser to ensure NSX Intelligence User Interface features are reloaded.