在 NSX 的“全局配置”选项卡下取消选中服务器证书失败
search cancel

在 NSX 的“全局配置”选项卡下取消选中服务器证书失败

book

Article ID: 336475

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:

  • 在 NSX 的“全局配置”选项卡下取消选中服务器证书失败
  • 您会看到以下错误:

    Failed to read certs & secrets. : 002 forgetting secrets
  • 禁用 IPsec VPN 服务似乎可以解决该问题,但禁用后对 IPsec 进行的任何修改都会导致出现相同的错误。



Environment

VMware NSX for vSphere 6.2.x

Resolution

该问题在以下版本中已解决:

  • VMware NSX for vSphere 6.2.8.
  • VMware NSX for vSphere 6.3.2.

要在不升级的情况下临时解决此问题,请使用 REST API 从站点配置中删除证书条目。 

注意:执行此操作后,将允许对 IPsec 服务执行任何配置更改。

Method – GET
URL(Header) - https:/NSXMGR_IP/api/4.0/edges/(edge-id)/ipsec/config
Output:-
<ipsec>
<version>20</version>
<enabled>true</enabled>
<disableEvent>false</disableEvent>
<logging>
<enable>true</enable>
<logLevel>warning</logLevel>
</logging>
<sites>
<site>
<enabled>true</enabled>
<name>Site1</name>
<localId>x.x.x.x</localId>
<localIp>x.x.x.x</localIp>
<peerId>x.x.x.x</peerId>
<peerIp>x.x.x.x</peerIp>
<encryptionAlgorithm>aes</encryptionAlgorithm>
<enablePfs>true</enablePfs>
<dhGroup>dh14</dhGroup>
<localSubnets>
<subnet>x.x.x.x/24</subnet>
</localSubnets>
<peerSubnets>
<subnet>x.x.x.x/24</subnet>
</peerSubnets>
<psk>******</psk>
<certificate>certificate-9</certificate> <===========================>Certificate is not validate for PSK, need to remove this certificate.
<authenticationMode>psk</authenticationMode>
</site>
</sites>
<global>
<psk>******</psk>
<caCertificates/>
<crlCertificates/>
</global>
</ipsec>

要删除证书,请使用 API 调用:

Method – PUT
URL(Header) - https://NSXMGR_IP/api/4.0/edges/(edge-id)/ipsec/config
Output:-
<ipsec>
<enabled>true</enabled>
<disableEvent>false</disableEvent>
<logging>
<enable>true</enable>
<logLevel>warning</logLevel>
</logging>
<sites>
<site>
<enabled>true</enabled>
<name>Site1</name>
<localId>x.x.x.x</localId>
<localIp>x.x.x.x</localIp>
<peerId>x.x.x.x</peerId>
<peerIp>x.x.x.x</peerIp>
<encryptionAlgorithm>aes</encryptionAlgorithm>
<enablePfs>true</enablePfs>
<dhGroup>dh14</dhGroup>
<localSubnets>
<subnet>x.x.x.x/24</subnet>
</localSubnets>
<peerSubnets>
<subnet>x.x.x.x/24</subnet>
</peerSubnets>
<psk>******</psk>
<authenticationMode>psk</authenticationMode>
</site>
</sites>
<global>
<psk>******</psk>
<caCertificates/>
<crlCertificates/>
</global>
</ipsec>

Powered by Wolken Software