Accessing NSX Management UI shows an error with "Client certificate not found in trust store"
search cancel

Accessing NSX Management UI shows an error with "Client certificate not found in trust store"

book

Article ID: 386719

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • A pop-up for certificate selection appears when accessing NSX UI.
  • Selecting any certificate from the pop up will result in the NSX UI becoming inaccessible due to internal server error: 
    {"module_name":"common-services","error_message":"Internal server error has occurred.","details":"Client certificate not found in trust store","error_code":99}
  • Log lines similar to the below are encountered in /var/log/proxy/reverse-proxy.log 
    WARN Processing request ########-####-####-####-############ RequestHandlerFactory 8376 - [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="http"] Client certificate 'CN=####, OU=####, OU=####, OU=####, DC=####, DC=####, DC=####, DC=####' not found in trust store
    ERROR http-nio-127.0.0.1-6565-exec-2070 ExceptionUtils 8376 - [nsx@6876 comp="nsx-manager" errorCode="MP98" level="ERROR" subcomp="http"] Uncaught exception
    java.lang.RuntimeException: Client certificate not found in trust store
            at com.vmware.nsx.management.rp.RequestHandlerFactory.isUnifiedAppliance(RequestHandlerFactory.java:70) ~[libreverse-proxy-compile.jar:?]
            at com.vmware.nsx.management.rp.PreAuthenticationProxyFilter.doFilter(PreAuthenticationProxyFilter.java:67) ~[libreverse-proxy-compile.jar:?] 

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Environment

VMware NSX

Cause

The client computer's trust store has a certificate with same subject name as one of the Local Managers/Global Managers certificate.

Resolution

This issue is resolved in VMware NSX 4.1.2.3, available at Broadcom downloads.

If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB.

 

Workaround:
When the browser asks to select a certificate to continue logging onto the system, click cancel, instead of attempting to select a certificate.
Then proceed to login normally and you should not get presented with this message now.
Remove certificate from your computer's trust store if this is not required.

Additional Information

Users will still see pop up if they have configured a principle identity and the certificate of the principle identity is present in the computer's trust store.

Powered by Wolken Software