NSX Manager UI does not list all certificates in LB Profiles for Virtual Servers
search cancel

NSX Manager UI does not list all certificates in LB Profiles for Virtual Servers

book

Article ID: 384524

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Virtual Servers are configured from the NSX UI
  • When editing the Virtual Server's LB Profile, under Client Side SSL or Server Side SSL, the list for assigning a Default Certificate does not list all the certificates that are displayed in the System > Certificates section of the UI.
  • The missing certificates are not self-signed

Environment

VMWare NSX

Cause

This a known issue impacting the NSX due to an incomplete search filter when listing certificates in the Load-Balancing > Virtual Servers > LB Profiles configuration wizard, which can skip some certificates if they are externally signed.

Resolution

To work around this issue, use the REST API to assign the desired certificate to the Virtual Server:

  • Use query GET https://<nsx-mgr>/api/v1/loadbalancer/virtual-servers to identify the UUID of the VS to edit
  • Use query GET https://<nsx-mgr>/api/v1/loadbalancer/server-ssl-profiles or GET https://<nsx-mgr>/api/v1/loadbalancer/client-ssl-profiles to obtain the ID of a suitable SSL Profile
  • Use query GET https://<nsx-mgr>/api/v1/loadbalancer/virtual-servers/<UUID> to obtain the description record for this VS
  • To configure a Client SSL certificate, modify (or add if there isn't one) a ClientSslProfileBinding section to the VS record which refers to the ID corresponding to the desired certificate:
        "client_ssl_profile_binding": {
          "certificate_chain_depth": 3,
          "client_auth": "IGNORE",
          "default_certificate_id": "<cert UUID>",
          "ssl_profile_id": "<ssl profile UUID>"
        },
  • If you are not configuring a Server SSL certificate, you still need to modify (or add if there isn't one) a ServerSSLProfileBinding section to the VS record which refers to a suitable server-ssl-profile:
    "server_ssl_profile_binding": {
          "certificate_chain_depth": 3,
          "server_auth": "IGNORE",
          "ssl_profile_id": "<ssl profile UUID>"
    },
  • If you want to configure a Server SSL certificate, include the ID of the desired certificate in the ServerSSLProfileBinding section:
    "server_ssl_profile_binding": {
          "certificate_chain_depth": 3,
          "server_auth": "IGNORE",
          "default_certificate_id": "<cert UUID>",
          "ssl_profile_id": "<ssl profile UUID>"
    },
  • Use a query PUT https://<nsx-mgr>/api/v1/loadbalancer/virtual-servers/<UUID> with the modified JSON block from previous as input, in order to update the VS in NSX