NSX Manager User Interface (UI) registration with Lookup Service fails
search cancel

NSX Manager User Interface (UI) registration with Lookup Service fails

book

Article ID: 332340

calendar_today

Updated On:

Products

VMware vCenter Server VMware NSX

Issue/Introduction

  • NSX Manager User Interface (UI) registration with Lookup Service fails
  • In NSX Manager UI, you see errors similar to:

    Trust Certificate?

    NSX Management Service Operation failed. (Initialization of Admin Registration Service Provider failed. Root Cause: Error occurred while registration of lookup service, com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate assertion not verified and thumbprint not matched)

    Lookup service https://<vCenter_Server_Appliance>:443/lookupservice/sdk presented an SSL certificate with the following thumbprint:

    ##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##

    Proceed with this certificate? Yes, No


    Note: For additional symptoms, see the Additional Information section.

 

Environment

VMware NSX for vSphere 6.1.x
VMware vCenter Server 6.0.x
VMware NSX for vSphere 6.4.x
VMware NSX for vSphere 6.0.x
VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.2.x
VMware vCenter Server Appliance 6.0.x

Cause

The certificate thumbprint matches when viewing the details of the Lookup Service https url.

The cause of this issue is related to the initial deployment of the vCenter Server Appliance with embedded PSC. If the appliance is initially deployed with only IP address and later set with hostname, the initial certificate only has the IP address in the Subject Alternative Name.

The certificate mismatch is not on the thumbprint, but rather on a mismatch with the Subject Alternative Name as it only has the IP address and not the FQDN of the vCenter server appliance.

Resolution

To resolve this issue, replace the CA signed certificates on the vCenter Server Appliance with the certificates created with Subject Alternative Name of the vCenter Server Appliance FQDN and IP Address. 

Additional Information

Running the show log manager follow command contains entries similar to:

2016-10-27 10:25:01.110 EDT ERROR TaskFrameworkExecutor-25 Worker:219 - BaseException thrown while executing task instance taskinstance-11261 com.vmware.vshield.vsm.sso.exceptions.RegistrationServiceInitializeException: core-services:4000:Initialization of Admin Registration Service Provider failed.:Error occurred while registration of lookup service, com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate assertion not verified and thumbprint not matched.

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

To verify that the certificate has the correct values using the web browser:

  1. Browse to the Lookup Service URL https://<vcenter_ip_address>:443/lookupservice/sdk.
  2. Select the Browser SSL "Lock" icon to View the Certificate details.

    Notes:
     
    • Subject Alternative Name must be the FQDN of the vCenter Server Appliance.
    • Note the thumbprint to visually match with the NSX Manager Lookup Service registration thumbprint presented.