NSX Application Platform deployment fails at 70% Registering Platform
search cancel

NSX Application Platform deployment fails at 70% Registering Platform

book

Article ID: 330501

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:

NAPP installation failing at 70% ; This scenario will be commonly hit in a Federation setup.

image.png

In the /var/log/proton/napps.log on the NSX Manager, you see similar output to:

2023-03-31 17:22:00 ERROR    api_request:133 [MainThread] - Unexpected error for POST /napp/api/v1/platform/trust-management/certificates, status: 500, body: b'{"error_code":940108,"module_name":"TrustManager","error_message":"Failed to add certificate. {0}"}'
2023-03-31 17:22:00 WARNING  api_request:47 [MainThread] - Retry #3: Remote node request failed with error msg: POST /napp/api/v1/platform/trust-management/certificates returned status: 500, body: b'{"error_code":940108,"module_name":"TrustManager","error_message":"Failed to add certificate. {0}"}',
2023-03-31 17:22:00 ERROR    api_request:28 [MainThread] - Description: POST: /napp/api/v1/platform/trust-management/certificates
2023-03-31 17:22:00 ERROR    api_request:29 [MainThread] - Request failed with error msg: POST /napp/api/v1/platform/trust-management/certificates returned status: 500, body: b'{"error_code":940108,"module_name":"TrustManager","error_message":"Failed to add certificate. {0}"}'
2023-03-31 17:22:00 ERROR    __main__:345 [MainThread] - Exit unexpectedly
Traceback (most recent call last):
  File "/config/vmware/napps/charts/nsxi-platform-advanced/files/registration/registration.py", line 343, in <module>
    main(args)
  File "/config/vmware/napps/charts/nsxi-platform-advanced/files/registration/registration.py", line 296, in main
    _register_manager_certs(fqdn)
  File "/config/vmware/napps/charts/nsxi-platform-advanced/files/registration/registration.py", line 245, in _register_manager_certs
    _push_certs(host, node_certs, "NSX_UA_NODE")
  File "/config/vmware/napps/charts/nsxi-platform-advanced/files/registration/registration.py", line 267, in _push_certs
    "POST: %s" % POST_CLOUDNATIVE_PLATFROM_CERT)
  File "/config/vmware/napps/charts/nsxi-platform-advanced/files/registration/api_request.py", line 30, in assert_request_success
    raise RuntimeError("Request failed with error msg: %s" % error_msg)
RuntimeError: Request failed with error msg: POST /napp/api/v1/platform/trust-management/certificates returned status: 500, body: b'{"error_code":940108,"module_name":"TrustManager","error_message":"Failed to add certificate. {0}"}'
2023-03-31 17:22:00,230 ERROR nsx_kubernetes_lib.vmware.kubernetes.common.utility[37]:execute Unexpected error occurred:
2023-03-31 17:22:00,231 ERROR __main__[53]:main Error executing function execute_registration_script. Error message:

if you check trust-manager POD logs  at  /var/log/napps/XXXXXXXXXXX/nsxi-platformfrom/trust-manager-XXXXXXXXX , you see similar output to:

"ERROR" subcomp="trust-manager-core"] Failed to add certificate
com.vmware.nsx.k8splatform.trustmanager.common.exceptions.CertificateValidationException: Some error has occurred
        at com.vmware.nsx.k8splatform.trustmanager.common.utils.X509CertificateUtil.verify(X509CertificateUtil.java:291)
        at com.vmware.nsx.k8splatform.trustmanager.service.impl.TrustManagerServiceImpl.verifyCertificateEntity(TrustManagerServiceImpl.java:334)
        at com.vmware.nsx.k8splatform.trustmanager.service.impl.TrustManagerServiceImpl.addCertificate(TrustManagerServiceImpl.java:119)
        at com.vmware.nsx.k8splatform.trustmanager.api.TrustManagementApiImpl.addCertificate(TrustManagementApiImpl.java:47)
        at sun.reflect.GeneratedMethodAccessor259.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52)
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:124)
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:167)
        at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:219)
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:79)
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:475)
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:397)
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81)
        at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:255)
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:244)
        at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265)
        at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:234)
        at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:684)
        at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:394)
        at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:346)
        at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:366)
        at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:319)
        at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.


Environment

VMware NSX-T Data Center

Cause

There are 2 certificates coming as response to the /nsxapi/api/v1/trust-management/certificates API (where service_type is set to "API") - one of which is ca-signed and the other self-signed. 
The intelligence registration was failing because the registration scripts were trying to add the ca-signed certificate to trust manager as the leaf certificate and that was failing.

Resolution

This behavior its fixed on NSX 4.0.0.1.

Workaround:
  • We can skip these certs in the registration script to avoid trust-manager throwing errors because trust manager refuses to accept CA signed certificates.
  • If you believe you have encountered this issue, please open a support request and refer to this KB article.


Powered by Wolken Software