Compute Manager status shows down in NSX UI after certificate change
search cancel

Compute Manager status shows down in NSX UI after certificate change

book

Article ID: 384069

calendar_today

Updated On:

Products

VMware NSX VMware NSX-T Data Center

Issue/Introduction

  • On NSX, compute Manager in a status is down after certificate replacement. 
  • The NSX UI displays an error similar to one of these examples
    CRL check for certificate for compute manager <vCenter FQDN/IP> failed because of <ID>
    or
    CRL check for certificate of Compute Manager <IP> failed because of CRL check failed: Couldn't fetch the CRL issued by any of the CDPs for CN=<>,OU=<>,O=<>,L=<>,ST=<>,C=<>. (Error code: 90206)
  • In versions prior to NSX 4.2.0, a log message similar to this example may be seen in NSX manager cm-inventory logs (Log path: /var/log/cm-inventory/cm-inventory.log):
    2024-12-10T14:31:11.672Z  WARN Thread-26 CrlWebFetcher 84744 SYSTEM [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="cm-inventory"] CRL 'http://example.com/####.crl' cache missed due to 'java.security.cert.CRLException: Couldn't read CRL from http://127.0.0.1:7440/nsxapi/api/v1/trust-management/cdps/crl?id=http%###.crl'.  Will fetch directly from the web.
  • In versions NSX 4.2.0 and above the following error maybe be seen in cm-inventory.log
    2025-09-19T17:56:19.080Z  WARN NSX 88723 [nsx@4413 comp="nsx-manager" level="WARNING" logger="CrlWebDirectFetcher" msgID="SYSTEM" subcomp="cm-inventory" threadName="InventoryFetcher-<ID>"] Couldn't read CRL from http://example.com/root.crl
  • An alarm is generated in NSX Manager indicating that the ESX Agent Manager (EAM) service on computer manager is down.

Environment

VMware NSX
VMware NSX-T Data Center

Cause

The vCenter certificate CRL (Certificate Revocation List) is not accessible by the NSX manager and so the vCenter certificate is not trusted.
As a result, the existing Compute Manager will be down or a new Compute Manager registration will not be allowed.
NSX will not be able to access the CRL endpoint if it is LDAP based, LDAP CRL endpoint if not supported.

Resolution

  • Update the vCenter certificate with a CRL that the NSX manager can access e.g. not LDAP based. 

    or

  • Disable the CRL check from the NSX manager via postman client using the below NSX API call 
    PUT https://<policy-mgr>/policy/api/v1/infra/security-global-config

    Put the following inside the body:

    {
      "crl_checking_enabled": "false"
    }
  • Return to the NSX Manager UI and go to System > Fabric > Compute Managers. Select Edit on the linked vCenter, re-enter the credentials, and click SAVE to re-establish the connection between vCenter and NSX Manager.

Additional Information

Powered by Wolken Software