NSX Certificate Expired Alarm
Article ID: 345870
Updated On:
Products
Issue/Introduction
Title: Certificate Expired
Event ID: certificate_expired
Severity: Critical
Alarm Description: Certificate {entity_id} has expired
- On NSX UI, System, Certificates, Certificates, one or more certificates have Validity of Expired.
- The NSX Manager log /var/log/syslog has an alarm entry similar to this example:
<DATE>T10:06:09.706Z manager1 NSX 5443 MONITORING [nsx@6876 alarmId="<UUID>" alarmState="OPEN" comp="nsx-manager" entId="<UUID>" errorCode="MP701099" eventFeatureName="certificates" eventSev="CRITICAL" eventState="On" eventType="certificate_expired" level="FATAL" nodeId="<UUID>" subcomp="monitoring"] Certificate <UUID> has expired.
Environment
VMware NSX-T Data Center
VMware NSX
Cause
A certificate in the NSX Manager trust store has reached its expiration date.
Details on the types of certificates can be found here Certificates for NSX and NSX Federation
Resolution
If in use, expired certificates must be replaced with valid certificates, if not is use, as indicated in the 'Used By' column of the 'System, Certificates, Certificates' page for that certificate, the certificate can be deleted, by selecting the certificate and deleting it.
Services may be functionally impacted until the certificates are replaced.
Expired certificates that are no longer in use must be deleted.
Starting from NSX 4.2.0, renewal of certificates can be performed via the UI, see Admin Guide section Replace Certificates Through NSX Manager.
The CARR script can also be used to replace expired self signed NSX certificates, see Using Certificate Analyzer, Results and Recovery (CARR) Script to fix certificate related issues in NSX.
For CA signed certificates, a new certificate will need to be obtained from the relevant CA and imported to NSX.
Additional Information
Feedback
