This article provides instructions for renewing the certificate used by NSX-T principal identity user created for Tanzu Kubernetes Grid Integrated Edition.
Symptoms:
https://<Opsman FQDN/IP>/api/v0/deployed/certificates?expires_within=3m
:{
"configurable": true,
"is_ca": false,
"property_reference": ".properties.network_selector.nsx.########-certificate",
"property_type": "rsa_cert_credentials",
"product_guid": "pivotal-container-service-942e24a1e535########",
"location": "ops_manager",
"variable_path": null,
"issuer": "/CN=########",
"valid_from": "2020-07-02T13:41:10Z",
"valid_until": "2021-07-02T13:41:10Z"
}
valid_from
", and "valid_until
" values,{
"configurable": true,
"is_ca": false,
"property_reference": ".properties.network_selector.nsx.########-certificate",
"property_type": "rsa_cert_credentials",
"product_guid": "pivotal-container-service-942e24a1e535########",
"location": "ops_manager",
"variable_path": null,
"issuer": "/CN=########",
"valid_from": "2020-07-02T13:41:10Z",
"valid_until": "2021-07-02T13:41:10Z"
}
cbfd03e6-44fc-42df-bc71-b771########]
curl -X GET -u 'admin:<Password>' -k https://<nsx manager fqdn>/api/v1/trust-management/principal-identities | jq -r '.results[]| select(.certificate_id == "<Certificate-ID>")'
You will see output similar to the following:{
"name": "########",
"node_id": "####",
"permission_group": "undefined",
"role": "enterprise_admin",
"certificate_id": "cbfd03e6-44fc-42df-bc71-b771########",
"is_protected": true,
"resource_type": "PrincipalIdentity",
"id": "89819c8b-de0e-4c52-8fa4-dc3b########",
"display_name": "########",
"tags": [],
"_create_user": "admin",
"_create_time": 1593697486134,
"_last_modified_user": "admin",
"_last_modified_time": 1593697486134,
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_revision": 0
}
Note: Make a note of the id value - In this example, it is : 89819c8b-de0e-4c52-8fa4-dc3b########
nsxt-pi-cert
mkdir ~/nsxt-pi-cert
cd ~/nsxt-pi-cert
create_certificate.sh.zip
file attached to this article and extract the contents (create_certificate.sh
). Copy this script to the system where you will run the commands from.R
to the NSX-T manager IP address.R
to the "admin" account.NSX_MANAGER="<NSX Manager IP>"
NSX_USER="admin"
PI_NAME="########"
NSX_SUPERUSER_CERT_FILE="########.crt"
NSX_SUPERUSER_KEY_FILE="########.key
-subj /CN=########
Make the sh
script excludablechmod +x create_certificate.sh
Run the sh
script
Note: Enter the NSX-T admin password when promoted.
./create_certificate.sh
You will see output similar to the following:Password: Generating a 2048-bit RSA private key
....+++
.........................................................................................................+++
writing the new private key to 'pks-nsx-t-superuser1.key'
-----
{
"results" : [ {
"pem_encoded" : "-----BEGIN CERTIFICATE-----\nMII.........laV\n-----END CERTIFICATE-----\n",
"used_by" : [ ],
"resource_type" : "certificate_self_signed",
"id" : "670c81d9-d1e2-4d7f-941a-d08d########",
"display_name" : "########",
"tags" : [ ],
"_create_user" : "admin",
"_create_time" : 1601567107129,
"_last_modified_user" : "admin",
"_last_modified_time" : 1601567107129,
"_system_owned" : false,
"_protection" : "NOT_PROTECTED",
"_revision" : 0
} ]
Note: The new certificate will get uploaded to the NSX-T with the Issuer Name "pks-nsx-t-superuser#
". In this example, the issuer is "pks-nsx-t-superuser1
".
Note: The script will create two files "pks-nsx-t-superuser1.crt
" and "pks-nsx-t-superuser1.key
". Make a copy of these files as they will be used to update the TKGi/PKS Tile with the new NSX-T Superuser certificate in step 5.
Get the new nsx-t-superuser-certificate "id" value by running a command similar to the followingcurl -X GET -u 'admin:<Password>' -k https://
<
/api/v1/trust-management/certificates | jq -r '.results[] | select(.display_name == "<New-Cert-Displayname>")'
>NSX Manager FQDN
Note: Replace <New-Cert-Displayname>
with the PI_NAME
value used previously.
You will see output similar to the following:{
"pem_encoded": "-----BEGIN CERTIFICATE-----\nMII........laV\n-----END CERTIFICATE-----\n",
"used_by": [],
"resource_type": "certificate_self_signed",
"id": "670c81d9-d1e2-4d7f-941a-d08d########",
"display_name": "########",
"tags": [],
"_create_user": "admin",
"_create_time": 1601567107129,
"_last_modified_user": "admin",
"_last_modified_time": 1601567107129,
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_revision": 0
}
Note: Make a note of the nsx-t-superuser-certificate ID. In this example, the value is "670c81d9-d1e2-4d7f-941a-d08d########
".
Bind the new nsx-t-superuser-certificate to the Principal ID
Create a bind.json file containing the Principal ID obtained in Step 3 and new nsx-t-superuser-certificate ID obtained in Step 7.{
"principal_identity_id": "########-certificate ID",
"certificate_id": "########New_Certificate"
}
Using the values in this example, the file would look like the following:{
"principal_identity_id": "89819c8b-de0e-4c52-8fa4-dc3b########",
"certificate_id": "670c81d9-d1e2-4d7f-941a-d08d########"
}
Run a command similar to the following to bind the certificate to the principal id:curl -X POST -u 'admin:<Password>' -k https://
You will see output similar to the following:
/api/v1/trust-management/principal-identities?action=update_certificate -H "Content-Type: application/json" -H "X-Allow-Overwrite: true" -d @bind.json<NSX Manager FQDN>
{
"name" : "########",
"node_id" : "####",
"permission_group" : "undefined",
"role" : "enterprise_admin",
"certificate_id" : "670c81d9-d1e2-4d7f-941a-d08d########",
"is_protected" : true,
"resource_type" : "PrincipalIdentity",
"id" : "89819c8b-de0e-4c52-8fa4-dc3b########",
"display_name" : "########",
"tags" : [ ],
"_create_user" : "admin",
"_create_time" : 1593697486134,
"_last_modified_user" : "admin",
"_last_modified_time" : 1601591521902,
"_system_owned" : false,
"_protection" : "NOT_PROTECTED",
"_revision" : 1
curl -k -X GET -u 'admin:<Password>' -k https://<NSX Manager FQDN
>
/api/v1/trust-management/principal-identities | jq -r '.results[]| select(.id == "nsx-t-superuser-principal-id")'
You will see output similar to the following:{
"name": "########",
"node_id": "####",
"permission_group": "undefined",
"role": "enterprise_admin",
"certificate_id": "670c81d9-d1e2-4d7f-941a-d08d########",
<<<<< The new nsx-t-superuser-certificate From step 7 "is_protected": true,
"resource_type": "PrincipalIdentity",
"id": "89819c8b-de0e-4c52-8fa4-dc3b########",
"display_name": "########",
"tags": [],
"_create_user": "admin",
"_create_time": 1593697486134,
"_last_modified_user": "admin",
"_last_modified_time": 1601591521902,
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_revision": 1
}
You can validate that the new certificate got updated on the master node by running commands similar to the following:
# bosh deployments --column=name | grep service-instance
# bosh -d <service-instance_UUID> scp master/0:/var/vcap/jobs/pks-nsx-t-prepare-master-vm/config/########.crt .
Ex.bosh -d service-instance_814f9e24-140d-471e-b4a7-933######## scp master/0:/var/vcap/jobs/pks-nsx-t-prepare-master-vm/config/######## .
# openssl x509 -in ########.crt | openssl x509 -issuer -subject -startdate -enddate -noout
Note: You will see output similar to the following:issuer= /CN=########
subject= /CN=########
notBefore=Oct 2 14:54:21 2020 GMT
notAfter=Oct 2 14:54:21 2022 GMT