Deploy a new edge failed from NSX UI with the following similar message:
NSX API log: (/var/log/proton/nsxapi.log)
"errorMessage=Error occurred during vmdk transfer. javax.net.ssl.SSLHandshakeException CRL check failed: Couldn't find signing principal of the CRL CN=XXX"
NSX CM Inventory log : (/var/log/cm-inventory/cm-inventory.log)
2024-10-16T01:14:47.227Z INFO Thread-17 CrlWebFetcher 4860 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="cm-inventory"] Fetching CRL from http://crl.xxx.crl
2024-10-16T01:14:47.237Z WARN Thread-17 CdpCrlChecker 4860 SYSTEM [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="cm-inventory"] No CDP specified in the certificate for CN=xxx
NSX
While syncing the inventory with vCenter, the NSX-T manager makes a call back to a certificate authority (CA) to validate the certificates. In this case, PSC provides the bare minimum functionalities of a CA. Thus we need to disable this call-back function on the NSX-T manager.
Run API against NSX Manager to disable CRL check.
1. GET https://{{nsx manager ip}}/policy/api/v1/infra/security-global-config
This returns a few flags in a JSON structure, one of which is called
"crl_checking_enabled": "true".
2. Modify "true" to "false" and use that JSON structure as body for the API
POST https://{{nsx manager ip}}/policy/api/v1/infra/security-global-config