CBM_API certificate replacement fails with error : 'No certificate Profile of type CBM_API expiring certificate'
Article ID: 367857
Updated On:
Products
VMware NSX
Issue/Introduction
- NSX infra was recently upgraded to 4.1.x version.
- CBM certificates shows up as expired and on manual replacement using the API call, CBM_API service throws below error
POST https://<Any manager-IP or manager FQDN>/api/v1/trust-management/certificates/<New Certificate ID>?action=apply_certificate&service_type=<CBM_API>&node_id=<manager node ID>{"httpStatus" : "BAD_REQUEST","error_code" : 2081,"module_name" : "internal-framework","error_message" : "No Certificate Profile of type CBM_API available for the current node-type."}Environment
VMware NSX 4.1.x
Cause
CBM_API service type has been deprecated from version 4.1.1 onwards but we do see some unexpected occurrences of certificates using this service-type when it was upgraded.
Resolution
This issue is resolved in VMware NSX 4.1.2.5 and 4.2.0, available at Broadcom downloads, whereby the certificate and service is removed.
If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB.
Steps to release each CBM_API certificate (API-Corfu Client certificate):
- Access the NSX Manager UI, under System / Certificates.
- Locate the CBM_API certificate (API-Corfu Client certificate).
- Depending on the column “Where Used”:
-
- If the column “Where Used” is at 0, you can simply delete the certificate via the vertical ellipsis.
- If the column “Where Used” is NOT at 0, please run the CARR script from the KB Using Certificate Analyzer, Results and Recovery (CARR) Script to fix certificate related issues in NSX which will release the certificate and allow you to remove it from the UI, as it will no longer have a "Where Used" count not 0.
Feedback
Yes
No
Powered by
