Duplicate extended key usage (EKU) causing pre-upgrade check to fail for NSX-T MP.
Article ID: 345807
Updated On:
Products
Issue/Introduction
Symptoms:
NSX-T MP pre-upgrade check fails with below error :
"Pre-upgrade checks failed for MP: The certificate with id 950485a5-####-####-####-81f1a007b10c failed to parse with error: Duplicate extended key usage not allowed. Please replace this certificate prior to upgrading."
Environment
Cause
The certificate (950485a5-####-####-####-81f1a007b10c) is improperly created/bad certificate that needs to be replaced.
Resolution
Replacing the certificate will resolve the issue.
Further validation/extra information:
Duplicate Extended Key Usage (EKU) can be validated using OpenSSL (VMware does not support Open SSL).
An example of certificate with duplicate Extended Key Usage (EKU).
client.crt - is the certificate subjected to duplicate EKU validation.
openssl x509 -in client.crt -text -noout | grep Extended
X509v3 Extended Key Usage:
X509v3 Extended Key Usage:
Additional Information
1. The certificate-id in question is CA signed certificate pointing to NSX Manager nodes.
root@nsx:~# curl -k -u admin https://127.0.0.1/api/v1/cluster/api-certificate
Enter host password for user 'admin':
{
"certificate_id": "950485a5-####-####-####-81f1a007b10c"
}
root@nsx:~#
2. The certificate is valid.
root@nsx:/# curl -k -u admin https://#.#.#.1/api/v1/trust-management/certificates/950485a5-####-####-####-81f1a007b10c?action=validate
Enter host password for user 'admin':
{
"status" : "OK"
root@nsx:/# curl -k -u admin https://#.#.#.2/api/v1/trust-management/certificates/950485a5-####-####-####-81f1a007b10c?action=validate
Enter host password for user 'admin':
{
"status" : "OK"
NOTE : #.#.#.1 and #.#.#.2 are NSX-T manager IP’s for a two management node cluster.
Feedback
