Error "certificate conflict with clusterControlPlane" when registering an Antrea Kubernetes Cluster to NSX with existing certificate.
search cancel

Error "certificate conflict with clusterControlPlane" when registering an Antrea Kubernetes Cluster to NSX with existing certificate.

book

Article ID: 345885

calendar_today

Updated On:

Products

VMware NSX VMware NSX VMware Container Networking with Antrea

Issue/Introduction

Steps followed to generate the certificate and use for the Antrea Cluster

1. Create a client certificate for antrea cluster
2. Register antrea cluster to NSX with above client certificate
3. Register another antrea cluster to NSX with above client certificate
4. The second registration will fail and error "certificate conflict with clusterControlPlane node id" in register Pod log
5. Check NSX nsxapi.log, a InvalidArgumentException and a NullPointerException error in log

nsxapi.log
<timestamp>.818Z ERROR http-nio-127.0.0.1-7440-exec-59 ClusterControlPlaneServiceImpl 85229 POLICY [nsx@6876 comp="nsx-manager" errorCode="PM220" level="ERROR" reqId="cxxxxxxd-21a0-4xx3-bxxf-d0xxxxxxxxxc" subcomp="manager" username="admin"] ClusterControlPlaneServiceImpl::validateParameterForCreate: certificate conflict with clusterControlPlane
com.vmware.nsx.management.container.exceptions.InvalidArgumentException: Argument ClusterControlPlaneServiceImpl::validateParameterForCreate: certificate conflict with clusterControlPlane node id 9xxxxxx4-cxx1-4xxf-axxe-3xxxxxxxxxx4 is invalid.
...
<timestamp>.824Z WARN http-nio-127.0.0.1-7440-exec-59 ExceptionHandlerExceptionResolver 85229 Failure in @ExceptionHandler com.vmware.nsxapi.clustercontrolplane.controller.ClusterControlPlaneController#handleBaseException(BaseException, HttpServletResponse, HttpServletRequest)
java.lang.NullPointerException: null

 





Environment

VMware NSX

Cause

This is a known issue. User cannot register Antrea cluster with certificate already used by another cluster. NullPointerException error might cause unexpected behavior in NSX.
 
This behavior is expected since

1. Each certificate's CommonName should equal ClusterControlPlane's id, and should equal PI's name.
2. PI's name and ClusterControlPlane's id is unique.

However, the InvalidArgumentException is not processed correctly in NSX and it throws another NullPointerException.

Resolution

User should use a unique certificate for each Antrea Cluster, and certificate CommonName should equal Cluster name.

User should follow NSX Administration Guide https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-9197EF8A-7998-4D1B-B968-067007C56B5C.html to integrate Kubernetes cluster with Antrea CNI to NSX.



Additional Information