Newly deployed Edge Transport Node is not able to register to NSX manager and shows "Registration Timeout" error due to Certificate Validation Failed
Article ID: 381511
Updated On:
Products
Issue/Introduction
- New Edge Transport Node is deployed from NSX manager, which in turn creates a Edge VM in the vCenter
- When this new Edge Transport Node tries to register and it fails with "Registration Timeout" error on the NSX UI even though the communication between Edge and NSX managers are all fine (using ports 1234,1235,443)
- Even when joined (
join management-plane <Manager-IP> thumbprint <Manager-thumbprint> username admin) manually to NSX manager, still we will see the 'Registration Timeout' error in the UI
Environment
VMware NSX
VMware NSX-T Data Center
Cause
- This is caused due to expiring (within 30 days) or expired certificates on the NSX managers relating to API cert (Tomcat cert) and for VIP.
- In the NSX manager logs:
/var/log/syslog.log, we can see error: "Certificate Validation failed"
- And also: "
Accept on endpoint 'ssl://0.0.0.0:1234 failed with error 167772294 certificate verify failed (SSL routines) from remote endpoint 'ssl tcp://x.x.x.x:45926"
Resolution
To resolve this issue, we need to replace the expiring certificates (within 30 days) or expired certificates:
To replace the API (Tomcat) and Management cluster certificates following are the APIs:
- Cluster API (mp-cluster) certificate is one cert for the whole NSX cluster
- API (tomcat) certificate is one per manager node
To replace API certificate:
- Create a self signed certificate: https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-1/administration-guide/certificates/creating-self-signed-certificates/configure-a-self-signed-certificate.html
- Validate the certificate:
GET https://<nsx-mgr>/api/v1/trust-management/certificates/<cert-id>?action=validate - To replace the certificate of manager node (tomcat) use the following API call:
POST /api/v1/trust-management/certificates/<cert-id>?action=apply_certificate&service_type=API&node_id=<node-id>
(Perform the above 3 steps for the other 2 manager nodes)
To replace Cluster API certificate:
- Create a self signed certificate: https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-1/administration-guide/certificates/creating-self-signed-certificates/configure-a-self-signed-certificate.html
- Validate the certificate:
GET https://<nsx-mgr>/api/v1/trust-management/certificates/<cert-id>?action=validate - To replace the certificate of manager node (tomcat) use the following API call:
POST /api/v1/trust-management/certificates/<cert-id>?action=apply_certificate&service_type=MGMT_CLUSTER
In NSX 4.2.0 onwards, there is an alternate option to replace directly in the UI itself by selecting the cert you want to replace with new certificate:
System > Certificates > Actions > Replace certificates
- Select the old certificate
- Click on Replace certificates
- Select from drop down the new certificate that was created
- click save and this will replace the old cert with new certificate.
Once the expired or expiring certificates (within 30 days) are replaced, a new Edge Transport Node can be deployed and this should complete successfully and should show the 'Success' state:
Reference: Types of Certificates
Additional Information
| API (previously known as tomcat) | This is an API certificate used for external communication with individual NSX Manager nodes through UI or API. |
| Cluster (previously known as mp-cluster) | This is an API certificate used for external communication with the NSX Manager cluster using the cluster VIP, through UI or API. |
Feedback
