Attempting to configure an ESXi host transport node fails with "Unable to connect to API service"
search cancel

Attempting to configure an ESXi host transport node fails with "Unable to connect to API service"

book

Article ID: 385174

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Adding a new ESXi Host transport node fails at 48%
  • The nsxcli.log on the ESXi host under /var/log has the following entries while attempting to install:

2024-11-21T21:29:45.417Z 2106152 cli.audit INFO CMD: join management-plane XX.XX.XX.XX thumbprint <thumbprint-obfuscated> token <token-obfuscated> node-uuid abcdabcd-1234-5678-9012-123456ab7890 (duration: 4.734s), Operation status: CMD_EXECUTED_WITH_ERROR_RESULT
2024-11-21T21:29:45.418Z 2106152 cli INFO NSX CLI stopped for user: root
2024-11-25T14:17:45.543Z 2104811 cli INFO NSX CLI started (ESX) for user: root
2024-11-25T14:17:45.626Z 2104811 cli.server.cli_command_service INFO {0} CMD: join management-plane XX.XX.XX.XX thumbprint <thumbprint-obfuscated> token <token-obfuscated> node-uuid bcdabcd-1234-5678-9012-123456ab7890
2024-11-25T14:17:45.628Z 2104811 cli.utils.render_utils WARNING Unable to determine terminal size: [OSError] [Errno 25] Inappropriate ioctl for device
2024-11-25T14:17:46.132Z 2104811 cli.commands.host_shared.register INFO version 7.0.3 buildnum 23794027
2024-11-25T14:17:46.134Z 2104811 cli.commands.host_shared.register INFO Tokenfile is not given
2024-11-25T14:17:46.136Z 2104811 cli.utils.cert_utils INFO Generating certificate using make_cert.py
2024-11-25T14:17:46.138Z 2104811 vmware.runcommand INFO runcommand called with: args = '['/opt/vmware/nsx-common/python/nsx_utils/make_cert.py', 'openssl', 'req', '-new', '-newkey', 'rsa:2048', '-days', '3650', '-nodes', '-x509', '-keyout', '/tmp/tmpojm8ayf2', '-out', '/tmp/tmp_z8ixlid', '-config', '/tmp/tmp62oi6qw
x']', outfile = 'None', returnoutput = 'True', timeout = '0.0'.
2024-11-25T14:17:47.400Z 2104811 cli.utils.apiclient ERROR POST /api/v1/fabric/nodes/abcdabcd-1234-5678-9012-123456ab7890?action=register_node raised exception: <class 'ssl.SSLError'>
Traceback (most recent call last):
  File "/opt/vmware/nsx-cli/bin/python/cli/utils/apiclient.py", line 90, in request
    conn.connect()
  File "/lib64/python3.8/http/client.py", line 1428, in connect
  File "/lib64/python3.8/ssl.py", line 500, in wrap_socket
  File "/lib64/python3.8/ssl.py", line 1073, in _create
  File "/lib64/python3.8/ssl.py", line 1342, in do_handshake
ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:1131)
2024-11-25T14:17:47.405Z 2104811 cli.commands.host_shared.register INFO Stopping nsx-proxy
2024-11-25T14:17:47.406Z 2104811 vmware.runcommand INFO runcommand called with: args = '['/etc/init.d/nsx-proxy', 'stop']', outfile = 'None', returnoutput = 'True', timeout = '0.0'.
2024-11-25T14:17:49.190Z 2104811 cli.commands.host_shared.register INFO Starting nsx-proxy
2024-11-25T14:17:49.194Z 2104811 vmware.runcommand INFO runcommand called with: args = '['/etc/init.d/nsx-proxy', 'start']', outfile = 'None', returnoutput = 'True', timeout = '0.0'.
2024-11-25T14:17:50.403Z 2104811 cli.server.cli_command_service WARNING Exception when registering host: 'Unable to connect to the API service'

  • The NSX API certificate thumbprint is unable to be retrieved from the NSX Manager

On existing node:
NSX-MGR01> get certificate api thumbprint
% An error occurred while reading the API server certificate

  • The NSX Manager /var/log/syslog and /var/log/nsx-cli/nsxcli.log contains similar messages.


2024-11-25T14:17:46.870Z 2506298 cli.commands.manager.cert ERROR Error getting api certificate thumbprint: rc: 1, out: 'b'\n'', err 'b'120274181229296:error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version:s23_clnt.c:802:\nunable to load certificate\n124695585991408:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:697:Expecting: TRUSTED CERTIFICATE\n''
2024-11-25T14:17:46.872Z 2506298 cli.server.cli_command_service WARNING An error occurred while reading the API server certificate
2024-11-25T14:17:46.873Z 2506298 cli.audit INFO CMD: get certificate api thumbprint (duration: 0.085s), Operation status: CMD_EXECUTED_WITH_ERROR_RESULT

Environment

NSX 4.x

Cause

This issue occurs due to TLSv1.2 being disabled on the NSX Managers

Resolution

Re-enable TLSv1.2 on the NSX Managers using proper API call

1. Run the following GET API to read the configuration of the NSX API service:

GET https://<NSX-Manager-IP>/api/v1/cluster/api-service

The API response contains the list of cipher suites and TLS protocols.

2. Enable the TLS 1.2 protocol.

a) Set TLSv1.2 to enabled = true

b) Run the following PUT API to send the changes to the NSX API server:

PUT https://<NSX-Manager-IP>/api/v1/cluster/api-service

For more information on running proper NSX API call see the documentation here - https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-2/administration-guide/operations-and-management/managing-the-nsx-manager-cluster/update-api-service-configuration-of-the-nsx-manager-cluster.html

 
    Powered by Wolken Software