Error Reconnecting Compute Manager to NSX on SDDC-Managed Environment after Certificate Replacement on vCenter
search cancel

Error Reconnecting Compute Manager to NSX on SDDC-Managed Environment after Certificate Replacement on vCenter

book

Article ID: 376477

calendar_today

Updated On:

Products

VMware NSX VMware vCenter Server

Issue/Introduction

Compute Manager disconnected from NSX in production environment after replacing vCenter certificates.

Compute Manager "Connection Status" will show as "Down" or "Registered With Errors" on NSX UI.

Similar Error results when attempting to reconnect the compute manager via NSX UI:

  • Failed to remove NSX ownership due to error Error in rest call. url= nsxapi/api//v1/managed-objects/lcm/nsx-ownership/########-####-####-####-############?action=clear , method= PUT , response= { "module_name" : "common-services", "error_message" : "General error has occurred.", "details" : "java.lang.RuntimeException: com.vmware.vim.vmomi.client.exception.SslException: javax.net.ssl.SSLHandshakeException: Certificate expired for CN=###-##-##.###.#########.####,O=#####,ST=######,C=##", "error_code" : 100 } , error= 500 : "{<EOL> "module_name" : "common-services",<EOL> "error_message" : "General error has occurred.",<EOL> "details" : "java.lang.RuntimeException: com.vmware.vim.vmomi.client.exception.SslException: javax.net.ssl.SSLHandshakeException: Certificate expired for CN=###-##-##.###.#########.####,O=#####,ST=######,C=##",<EOL> "error_code" : 100<EOL>}<EOL>" .. Please resolve the error and try again

 

The thumbprint error is not detected as seen here:

Environment

VMware NSX-T Data Center
VMware NSX 4.1.2.0
VMware vCenter Server 

Cause

Issue is due to Certificate update/replacement process on the vCenter(s), which causes a change in machine SSL and Security Token Service (STS) signing values.

This results in a certificate error on NSX when attempting to re-establish connection to the Compute Manager, which is the impacted vCenter server.

Resolution

Workaround:

  1. Restart all vCenter Server services to propagate the new certificate values across all internal message buses:
    • Connect to the vCenter Server Appliance (VCSA) via SSH.
    • Run the command: service-control --stop --all && service-control --start --all
    • Note: Alternatively, reboot the vCenter Server appliance.
  2. Navigate to the NSX Manager UI: System > Fabric > Compute Managers.
  3. Select the impacted vCenter Server and click Edit.
  4. Re-enter the vCenter Server credentials and click Save.
  5. Accept the newly provisioned vCenter certificate thumbprint when prompted.
  6. If registration fails immediately, wait 5–10 minutes for the cm-inventory service to stabilize and retry the edit operation.

If the issue persists, please open a case with Broadcom Support following Creating and managing Broadcom support cases.

 

Additional Information

This issue may also occur on environments that are not SDDC-Managed.

Other vCenter(s) in the same Enhanced Linked Mode (ELM) configuration with impacted vCenter may show no similar errors.

Additional Error about "EAM Status" may show status as "Down" on NSX UI when Compute Manager is disconnected.

Perform vCenter Diagnostics with VDT (vSphere Diagnostics Tool) to identify underlying vCenter issues.

Powered by Wolken Software