Alarm For Transport Node Certificate Expiration Approaching
search cancel

Alarm For Transport Node Certificate Expiration Approaching

book

Article ID: 345823

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

Title: Alarm for transport_node_certificate_expiration_approaching
Event ID: transport_node_certificate_expiration_approaching
Alarm Description

  • Purpose: Notify User that Transport Node Certificate expiration is approaching in 30 days or less.

  • Impact: Transport Node can disconnect from Managers and not connect back again after the certiface exipry.

  • Cause: Transport Node certificate expiration is approaching in 30 days or less.

Environment

VMware NSX-T Data Center

Resolution

Steps to Resolve, for 4.1.0 and higher:

  • Is a maintenance window required for remediation?
    No
  • Steps to resolve:
    Replace the Transport node certificate with a non-expired certificate.
    The expired certificate can be replaced by using below NSX API with json body { "pem_encoded" : "", "private_key":""}.
    Here "pem_encoded" should have new Transport Node Certificate and "private_key" should have new Transport Node private key.
    • NSX API: POST /api/v1/trust-management/certificates/action/replace-host-certificate/{tn_uuid}
  • Workaround:
    If the Transport Node certificate has not been replaced within 30 days or the the certificate is already expired.
    Follow below mentioned steps:
    1. Enable ssh for Transport Node
    2. Delete Transport Node certificate and private key
      CMD: rm -rf /etc/vmware/nsx/host-private.key /etc/vmware/nsx/host-cert.pem
    3.  Restart the NSX proxy, restarting the nsx-proxy will create a new self-signed cert-key pair
      CMD: /etc/vmware/nsx-proxy restart
    4. Push the new cert-key pair to manager using below nsxcli cmd on Transport Node
      CMD: push host-certificate <hostname-or-ip-address[:port]> username <username> thumbprint <thumbprint>

Additional Information

  • Why do we need this?
    This Alarm is raised to notify user that the Transport Node certificate will expire in 30 days or less.