Title: Alarm for transport_node_certificate_expired
Event ID: transport_node_certificate_expired
Alarm Description
Purpose: Notify User that Transport Node Certificate has expired.
Impact: Transport Node can disconnect from Managers and not connect back again.
Cause: Transport Node Certificate has expired.
VMware NSX-T Data Center
Resolution:
Steps to Resolve
For 4.1.0 and higher
Maintenance window required for remediation?
No
Steps to resolve:
Replace the Transport node certificate with a non-expired certificate.
The expired certificate can be replaced by using below NSX API with json body { "pem_encoded" : "", "private_key":""}.
Here "pem_encoded" should have new Transport Node Certificate and "private_key" should have new Transport Node private key.
POST /api/v1/trust-management/certificates/action/replace-host-certificate/{tn_uuid}
Work Around:
If the Transport Node certificate has not been replaced within 30 days or the the certificate is already expired.
Follow below mentioned steps:
rm -rf /etc/vmware/nsx/host-private.pem /etc/vmware/nsx/host-cert.pem
For NSX-T version >= 4.1.0 to version < 4.1.2.5 run below mentioned commands one by one to generate/replace Host Certificate. Note: skip this step for other versions.
a) Create a temporary openssl config file from the existing openssl config
cat /etc/vmware/nsx/openssl-proxy.cnf > /tmp/tmp-openssl-proxy.cnf
b) Add the Host UID to the temporary openssl config
echo "UID = $(grep -o '<uuid>[^<]*' /etc/vmware/nsx/host-cfg.xml | sed 's/<uuid>//')" >> /tmp/tmp-openssl-proxy.cnf
c) Add extension in the temporary openssl config
echo -e "[ req_ext ]\nbasicConstraints = CA:FALSE\nextendedKeyUsage = clientAuth\nsubjectKeyIdentifier = hash\nauthorityKeyIdentifier = keyid,issuer" >> /tmp/tmp-openssl-proxy.cnf
d) Generate/Replace Host certificate, where below -days parameter specifies numbers of days certificate will be valid, in the below example it creates the certificate valid for 10 years.
openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout /etc/vmware/nsx/host-privkey.pem -out /etc/vmware/nsx/host-cert.pem -config /tmp/tmp-openssl-proxy.cnf -extensions req_ext
/etc/init.d/nsx-proxy restart
push host-certificate <hostname-or-ip-address[:port]> username <username> thumbprint <thumbprint>
Related Information: