NSX error "Certificate chain of compute manager "VC-FQDN"/"VC-shortname" is invalid (Error code: 90204)"

Products

VMware NSX VMware vCenter Server

Issue/Introduction

Compute Manager appears to be DOWN in NSX UI.
When the machine SSL certificate on a vCenter Server is updated or replaced with a new custom machine SSL certificate, NSX will need to validate the new certificate in order to reestablish a connection with the vCenter. The following error message may be encountered:

"Certificate chain of Compute Manager <VC-FQDN>/<VC-hortname> is invalid. Please check Issuer and Subject in the chain. (Error code: 90204)"

Messages similar to the following can be found in the /var/log/cm-inventory/cm-inventory.log file:

2024-06-24T19:45:24.327Z ERROR http-nio-127.0.0.1-7443-exec-2 VcPlugin 4732 SYSTEM [nsx@1234 comp="nsx-manager" errorCode="MP40219" level="ERROR" reqId="########-#######-#########" subcomp="cm-inventory" username="admin"] Certificate of Vc example.com is invalid. it might be caused by issuer not being same as subject of next certificate in certificate chain.

2025-03-12T15:13:37.910Z  NSX 5081 FABRIC [nsx@6876 comp="nsx-manager" errorCode="MP40428" level="ERROR" subcomp="manager"] Error connecting EAM com.vmware.vim.vmomi.client.exception.SslException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: java.security.cert.CertPathBuilderException: Unable to find certificate chain. on compute manager ####-####-####-####-####

2025-03-12T15:13:37.910Z NSX 5081 FABRIC [nsx@6876 comp="nsx-manager" errorCode="MP26153" level="ERROR" subcomp="manager"] [HostPinned]: Failed to get EAM status for compute manager ComputeManagerModelMsg/####-####-####-####-####, com.vmware.nsx.management.lcm.vc.soap.exceptions.HostBasedVMException: Error connecting EAM on compute manager ####-####-####-####-####. Error javax.net.ssl.SSLHandshakeException: PKIX path building failed: java.security.cert.CertPathBuilderException: Unable to find certificate chain.

Environment

VMware NSX
VMware NSX-T Data Center
VMware vCenter Server

Cause

The certificate chain of the custom machine SSL certificate on the vCenter may be incomplete, or there could be an incorrect or missing entry within the new certificate. Extra certificates which are not part of the chain included in the vCenter Server certificate can also cause NSX to reject the certificate. Occasionally, a custom CA-signed certificate that is accepted by the vCenter when using the vCenter UI to apply the new certificate will run into this error when attempting to connect the VC as a compute manager in NSX.

If the vCenter Machine SSL certificate only uses the 'leaf' certificate and not the 'full certificate chain' (which includes the intermediate CA(s) and root CA), NSX Manager will reject the vCenter Certificate even though it will be functional in the vCenter Server.

The Subject Alternative Name section of the custom machine SSL certificate should include the FQDN, short name, and IP address of the vCenter Server. In some cases, NSX may not be able to validate the connection to the vCenter Server, which can result in the error message. Accurate and complete SAN data being included when the certificate request is created can help to prevent this.

Resolution

Verify if the thumbprint shown by NSX matches the thumbprint provided by the vCenter, by running the following command on the vCenter Server:
echo | openssl s_client -connect localhost:443 2>/dev/null | openssl x509 -noout -fingerprint -sha256
The following command can be used to list the certificate chain from the vCenter:
openssl s_client -showcerts -debug -connect <VC-IP>:443
If the thumbprint is a match, then the machine SSL certificate on the vCenter should be reviewed for any missing or incorrect information. If an issue is found with the machine SSL certificate currently in use on the vCenter, then a new custom certificate will need to be generated from the Certificate Authority (CA) to replace the problematic certificate on the vCenter.

If the certificate is being replaced using vSphere's Certificate Management through the UI and the error message comes up when updating the vCenter connection in the NSX Manager, using the vCenter CLI Certificate Manager Utility instead may work. This can happen due to an issue with the Certificate Management in vCenter even when the certificate chain is complete and there are otherwise no issues with the CA certificate.

Instead of: Add Custom Certificates Using the vSphere Client, replace the certificate in vCenter using the command line to Replace a vCenter Machine SSL certificate with a Custom Certificate Authority (CA) signed certificate via CLI.

It may help to save the individual certificates in the chain to separate files and open them one at a time to see the certificate chain for each. If any of the individual certificates do not show the appropriate parents in the chain, or if they show very different parents, they will need to be investigated. Any certificates that show the exact same chain are likely duplicates of each other and one will need to be removed.

Additional Information

After VMware vCenter Server certificate is replaced, compute manager connection is "Down" on NSX UI
Compute Manager 'Connection Status' goes Down after Upgrade from 3.X or 4.0.1 to 4.1.