NSX-T API service type certificate is associated with site ID instead of node ID
Article ID: 384030
Updated On:
Products
Issue/Introduction
- In NSX-T we have a number of platform service types which certificates are assigned to, for example we have the service types: API and MGMT_CLUSTER.
- API - this is assigned to a node ID and this API call is used to complete this operation in NSX-T 3.2 onwards, as you can see the API requires the node ID, which is an individual NSX-T manager:
POST /api/v1/trust-management/certificates/<cert-id>?action=apply_certificate&service_type=API&node_id=<node-id>
- MGMT_CLUSTER - this is assigned to the cluster VIP and this API call is used to complete this operation in NSX-T 3.2 onwards, as you can see, no node id is required, as it will automatically use the siteId to apply the certificate to the cluster:
POST /api/v1/trust-management/certificates/<cert-id>?action=apply_certificate&service_type=MGMT_CLUSTER
- API - this is assigned to a node ID and this API call is used to complete this operation in NSX-T 3.2 onwards, as you can see the API requires the node ID, which is an individual NSX-T manager:
- To discover the siteID, log in as root on any manager and run:
cat /config/site-manager/siteId - Viewing the Certificate:
- In the NSX-T UI, System - Certificates, expanding the certificate, you can see the siteId is assigned to it as service type API.
- Running the following API shows the certificate is assigned to service type API with the siteId:
GET /api/v1/trust-management/certificates/<certificate-id>
Note: Certificate ID can gained by either expanding the certificate in the UI or running the API call:GET /api/v1/trust-management/certificates
Cause
Service type API should only be assigned to nodes, the node ID (for the NSX-T manager) is used to assign this, service type MGMT_CLUSTER is for the VIP, siteId is used for the cluster VIP, but is automatically assigned using the specific POST API call above, without a node ID.
Resolution
In normal circumstances when the correct API calls are used and the correct node ID's are used to apply the service type API, this issue should not occur.
We have seen the issue can occur if the incorrect node ID, such as using the siteId, is used when applying the API call to replace the node (service type API) certificate.
Workaround:
If you believe you have encountered this issue, please open a support case with Broadcom Support and refer to this KB article.
For more information, see Creating and managing Broadcom support cases.
Feedback
