"No Certificate Profile of type LOCAL_MANAGER available for the current node-type." encountered in NSX-T when Replacing an Expired Local Manager Certificates
search cancel

"No Certificate Profile of type LOCAL_MANAGER available for the current node-type." encountered in NSX-T when Replacing an Expired Local Manager Certificates

book

Article ID: 381079

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

When using the documented steps, Replace Certificates, to replace an expired LOCAL_MANAGER certificate using the API call:

POST https://<nsx-mgr>/api/v1/trust-management/certificates/<cert-id>?action=apply_certificate&service_type=LOCAL_MANAGER

You receive the following error:

"error_message": "No Certificate Profile of type LOCAL_MANAGER available for the current node-type."

 

Environment

VMware NSX-T 3.x

Cause

The expected certificate profile for LOCAL_MANAGER may not be created or configured on the NSX-T Manager. This can occur if the setup process was incomplete or if the profiles were deleted or not assigned correctly.

Resolution

To replace the expired Local Manager certificate in VMware NSX-T 3.x, using an API client such as Postman, follow these steps:

  1. Open Postman API Client

    • Ensure you have the Postman API client installed and configured.

  2. Setup the API Request in Postman

    • Replace <nsx-mgr> with your NSX-T Manager server’s IP or FQDN in the URL below:
       
      POST https://<nsx-mgr>/api/v1/trust-management/certificates?action=set_pi_certificate_for_federation
       
    • Configure the request as follows:
      • Method: POST
      • Authorization Tab: Select Basic Auth and enter your NSX-T Manager login credentials.
      • Headers Tab: Set Content-Type to application/json.
      • Body Tab:
        • Choose raw format.
        • Select JSON.
        • Copy the following payload to the body, replacing <id> with the new certificate ID:
           
          { "<certificate-": "<id>", "service_type": "LOCAL_MANAGER" }
           
    • Send the Request: Click Send to apply the new certificate.

  3. Verify the New Certificate Assignment

    • Log into the NSX-T Manager interface, refresh the UI, and confirm the new certificate is applied to the Local Manager by checking the "where used" status.

  4. Check Certificate Usage (for Earlier NSX-T Versions)

    • In earlier NSX-T versions, "where used" details may not be visible in the UI. Use the following API call to verify if the certificate is in use:
      • To check all certificates:
         
        GET https://<nsx-mgr>/api/v1/trust-management/certificates
         
      • To check a specific certificate by ID:
         
        GET https://<nsx-mgr>/api/v1/trust-management/certificates/<certificate-id>
         
    • Look for "used_by": [] in the response, which indicates that the certificate is not in use.

  5. Delete the Old Certificate

    • Once you have confirmed that the expired certificate is no longer in use, proceed to delete it from NSX-T Manager.

Note: The above steps assume the new certificate has already been created, signed and imported into VMware NSX-T using the steps Create a Self-Signed Certificate.

Additional Information

For further information, refer to VMware’s official documentation on replacing certificates in NSX-T: VMware NSX-T Certificate Replacement Documentation.

Powered by Wolken Software