NSX edge node deployment trigeered from NSX Manager UI, fails with following error, "OVF certificate validation failed. Error: Error while fetching ovf file. e has expired"
search cancel

NSX edge node deployment trigeered from NSX Manager UI, fails with following error, "OVF certificate validation failed. Error: Error while fetching ovf file. e has expired"

book

Article ID: 369908

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • When deploying a new edge node from NSX Manager UI, the deployment fails with the below error.

  • If you check the certificates on NSX Manager UI, you would find that certificate associated with API and/or MGMT_CLUSTER service is expired.

Environment

VMware NSX, VMware NSX-T

Cause

When Tomcat certificates (Service Type = API) and/or mp-cluster certificates (Service Type = MGMT_CLUSTER) gets expired on NSX managers, Edge/Manager deployment workflow triggered from NSX Manager gets failed. This is an expected behavior of the product.

 

Resolution

  1. Verify that the certificates (API and MGMT_CLUSTER) are valid by making the following API call: GET https://<nsx-mgr>/api/v1/trust-management/certificates/<cert-id>?action=validate
  2. Create CSR for API and MGMT_CLUSTER services  (Refer: https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-8F851905-F3E2-482B-BC43-04A037EC779E.html) .
  3. Self-sign the CSRs (Refer: https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-9BBF8A54-DFBD-4B24-B7A1-492CB42DD0D5.html)
  4. Followed by that use the below POST APIs to renew the tomcat and mgmt-cluster certificates (Follow steps 4 & 5 mentioned in the following doc: https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-50C36862-A29D-48FA-8CE7-697E64E10E37.html
  5. Restart the http service on all the 3 NSX managers (from the admin shell): restart service http