Alarm For Transport Node Certificate is About to Expire.
search cancel

Alarm For Transport Node Certificate is About to Expire.

book

Article ID: 345802

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

Title: Alarm for transport_node_certificate_is_about_to_expire
Event ID: transport_node_certificate_is_about_to_expire
Alarm Description

  • Purpose: Notify User that Transport Node Certificate expiration is about to expire in 7 days or less.

  • Impact: Transport Node can disconnect from Managers and not connect back again after the certiface exipry.

  • Cause: Transport Node certificate is about to expire in 7 days or less.



Environment

VMware NSX-T Data Center

Resolution

Resolution:
Steps to Resolve
For 4.1.0 and higher

  • Maintenance window required for remediation?
    No

  • Steps to resolve:
    Replace the Transport node certificate with a non-expired certificate.
    The expired certificate can be replaced by using below NSX API with json body { "pem_encoded" : "", "private_key":""}.
    Here "pem_encoded" should have new Transport Node Certificate and "private_key" should have new Transport Node private key.

    • NSX API: POST /api/v1/trust-management/certificates/action/replace-host-certificate/{tn_uuid}
  • Work Around::
    If the Transport Node certificate has not been replaced within 7 days or the the certificate has already expired.
    Follow below mentioned steps:

    • Step 1: Enable ssh for Transport Node
    • Step 2: Delete Transport Node certificate and private key
      CMD: rm -rf /etc/vmware/nsx/host-private.key /etc/vmware/nsx/host-cert.pem
    • Step 3: Restart the NSX proxy, restarting the nsx-proxy will create a new self-signed cert-key pair
      CMD: /etc/vmware/nsx-proxy restart
    • Step 4: Push the new cert-key pair to manager using below nsxcli cmd on Transport Node
      CMD: push host-certificate <hostname-or-ip-address[:port]> username <username> thumbprint <thumbprint>

Additional Information

Related Information:

  • Why do we need this:
    This Alarm is raised to notify user that the Transport Node certificate will expire in 7 days or less.