Unable to deploy an edge from NSX UI , getting message the install failed. Error message "Error occurred during vmdk transfer. javax.net.ssl.SSLHandshakeException CRL check failed"
search cancel

Unable to deploy an edge from NSX UI , getting message the install failed. Error message "Error occurred during vmdk transfer. javax.net.ssl.SSLHandshakeException CRL check failed"

book

Article ID: 386659

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Deploy a new edge failed  from NSX UI with the following similar message:

NSX API log: (/var/log/proton/nsxapi.log)

"errorMessage=Error occurred during vmdk transfer. javax.net.ssl.SSLHandshakeException CRL check failed: Couldn't find signing principal of the CRL CN=XXX"

NSX CM Inventory log : (/var/log/cm-inventory/cm-inventory.log)

2024-10-16T01:14:47.227Z  INFO Thread-17 CrlWebFetcher 4860 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="cm-inventory"] Fetching CRL from http://crl.xxx.crl
2024-10-16T01:14:47.237Z  WARN Thread-17 CdpCrlChecker 4860 SYSTEM [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="cm-inventory"] No CDP specified in the certificate for CN=xxx

 

Environment

NSX

Cause

While syncing the inventory with vCenter, the NSX-T manager makes a call back to a certificate authority (CA) to validate the certificates. In this case, PSC provides the bare minimum functionalities of a CA. Thus we need to disable this call-back function on the NSX-T manager. 

Resolution

Run API against NSX Manager to disable CRL check. 

1. GET https://{{nsx manager ip}}/policy/api/v1/infra/security-global-config

This returns a few flags in a JSON structure, one of which is called
"crl_checking_enabled": "true".

2. Modify "true" to "false" and use that JSON structure as body for the API

POST https://{{nsx manager ip}}/policy/api/v1/infra/security-global-config