• When deploying a new edge node from NSX Manager UI, the deployment fails with the below error.

• In NSX Manager UI, under System -> Certificates, the certificate associated with API and/or MGMT_Cluster service is expired.

VMware NSX

When Tomcat certificates (Service Type = API) and/or mp-cluster certificates (Service Type = MGMT_CLUSTER) expire on NSX managers, Edge/Manager deployment workflow triggered from NSX Manager fails. This is an expected behavior of the product.

1. Certificate verification can be done by making the following API call: GET https://<nsx-mgr>/api/v1/trust-management/certificates/<cert-id>?action=validate

2. Create CSR for API and MGMT_CLUSTER services  (Refer: https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-8F851905-F3E2-482B-BC43-04A037EC779E.html) .

3. Followed by that use the below POST APIs to renew the tomcat and mgmt-cluster certificates (Follow steps 4 & 5 mentioned in the following doc)

4.  Restart the proton service on all the 3 NSX managers (from the admin shell): restart service manager

Self-sign the CSRs (Refer: https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-9BBF8A54-DFBD-4B24-B7A1-492CB42DD0D5.html)