Compute Manager status down in NSX UI after certificate change
Article ID: 384069
Updated On:
Products
Issue/Introduction
Compute Manager in a status-down situation after certificate replacement.
The error message is similar to "CRL check for certificate for compute manager <vCenter FQDN> failed because of xxxx-xxxx-xxxx-xxxx"
A similar message can be seen in NSX manager cm-inventory logs:
2024-12-10T14:31:11.672Z WARN Thread-26 CrlWebFetcher 84744 SYSTEM [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="cm-inventory"] CRL 'http://xxxx/xxxx.crl' cache missed due to 'java.security.cert.CRLException: Couldn't read CRL from http://127.0.0.1:7440/nsxapi/api/v1/trust-management/cdps/crl?id=http%xxxxx.crl'. Will fetch directly from the web.
An alarm may be generated in NSX Manager indicating that the ESX Agent Manager (EAM) service on computer manager xxxxxxxx-xxxx-xxxx-xxxxxxxxxxx is down.
Environment
VMware NSX
VMware NSX-T Data Center
Cause
The issue was caused by the vCenter certificate CRL list is not accessible by the NSX manager.
Resolution
There are two solutions:
1. Updating the vCenter certificate with a CRL that the NSX manager can access to.
or
2. Disabling the CRL check from the NSX manager by using the NSX API call
PUT https://<policy-mgr>/policy/api/v1/infra/security-global-config
Put the following inside the body:
{
"crl_checking_enabled": "false"
}
Return to the NSX Manager UI and go to System > Fabric > Compute Managers. Select Edit on the linked vCenter, re-enter the credentials, and click SAVE to re-establish the connection between vCenter and NSX Manager.
Feedback
