Title: transport_node_certificate_is_about_to_expire
Event ID: transport_node_certificate_is_about_to_expire
Alarm Description

• Purpose: Notify User that Transport Node Certificate expiration is about to expire in 7 days or less.
• Impact: Transport Node can disconnect from Managers and not connect back again after the certificate expiry.
• Cause: Transport Node certificate is about to expire in 7 days or less.

• Certificate expiring alarms can be reviewed in the NSX UI and Aria Operations UI.

VMware NSX

• On versions NSX 4.1.x and 4.2.0, Edge and Host Transport Nodes are instantiated using a certificate with validity period of 825 days.
• NSX-T 3.x and NSX 4.2.1 and higher create Transport Nodes using a certificate with validity period of 10 years.
• The Transport Node certificate used at create time is not replaced on upgrade.
• Any Edge that may have been deployed on these versions or any Hosts prepared or re-prepared on these versions will have this shorter validity period certificate.

For NSX versions from 4.1.0 through to 4.2.0 inclusive:

Check the connection status of the Transport Node on the NSX UI: System -> Fabric -> Hosts/Nodes

Transport Node has an expired or expiring certificate but is still connected to NSX:

• The CARR script can be used to replace the TN certificates. For further details, see the section "Transport Node Certificates" on Using Certificate Analyzer, Results and Recovery (CARR) Script to fix certificate related issues in NSX.

Transport Node certificate has expired and TN is in a disconnected state in NSX:

1. SSH to the Transport Node as root user.
2. Empty Transport Node certificate and private key:

   cat /dev/null > /etc/vmware/nsx/host-cert.pem
   cat /dev/null > /etc/vmware/nsx/host-privkey.pem

3. Generate a new self-signed TN certificate and key.

For NSX 4.1.x versions prior to 4.1.2.5:

1. 1. Create a temporary openssl config file from the existing openssl config: cat /etc/vmware/nsx/openssl-proxy.cnf > /tmp/tmp-openssl-proxy.cnf
   2. UUID is extracted and added to the temporary openssl config: echo "UID = $(grep -o '<uuid>[^<]*' /etc/vmware/nsx/host-cfg.xml | sed 's/<uuid>//')" >> /tmp/tmp-openssl-proxy.cnf
   3. Add extension in the temporary openssl config: echo -e "[ req_ext ]\nbasicConstraints = CA:FALSE\nextendedKeyUsage = clientAuth\nsubjectKeyIdentifier = hash\nauthorityKeyIdentifier = keyid,issuer" >> /tmp/tmp-openssl-proxy.cnf
   4. Replace the certificate (the -days parameter specifies 3650 days/10 years validity):

      openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout /etc/vmware/nsx/host-privkey.pem -out /etc/vmware/nsx/host-cert.pem -config /tmp/tmp-openssl-proxy.cnf -extensions req_ext

For NSX 4.1.2.5 and higher:

1. 1. Restarting nsx-proxy creates the new cert-key pair: /etc/init.d/nsx-proxy restart

      4. Identify NSX Manager thumbprint by logging into the NSX Manager as admin: get certificate api thumbprint

      5. To push the new cert-key pair to the Manager, from the root user on the Host or Edge, run:

Edge:   su admin -c "push host-certificate <Manager hostname-or-IP> username admin thumbprint <thumbprint from step 4>"

Host:   nsxcli -c "push host-certificate <Manager hostname-or-IP> username admin thumbprint <thumbprint from step 4>"

Note: If the Host/Edge remains disconnected after following above steps, issuing the following command on the transport node may show all NSX managers are standby:

nsxcli > get managers

- <NSX-manager-1-IP>      Standby (NSX-RPC)
- <NSX-manager-2-IP>      Standby (NSX-RPC)
- <NSX-manager-3-IP>      Standby (NSX-RPC) 

In this case, follow the resolution steps mentioned in KB:  Host and Edge Transport Nodes disconnected from NSX UI after NSX managers were restored from backup

• Internal error reported when running the NSX cli push host-certificate