Certificate thumbprint mismatch after replacing certificates on the Local Manager in an NSX Federation environment.
search cancel

Certificate thumbprint mismatch after replacing certificates on the Local Manager in an NSX Federation environment.

book

Article ID: 386730

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Certificates have been replaced or renewed on a NSX Local Manager
  • The new thumbprint of the Local Manager has not been updated on the Global Manager.
  • On the Global Manager, you may see the following entries in the log file /var/log/gmanager/gmanager.log


 2023-05-24T23:00:00.018Z  WARN ENFORCEMENT_POINT_RELOAD_TASK-0 NsxTrustManager 12773 SYSTEM [nsx@6876 comp="global-manager" level="WARNING" reqId="########-####-####-####-########77e1" subcomp="global-manager" username="system"] Thumbprint mismatch for ############################################################
 
 2023-05-24T23:00:00.019Z  WARN ENFORCEMENT_POINT_RELOAD_TASK-0 NsxTRestClient 12773 POLICY [nsx@6876 comp="global-manager" level="WARNING" reqId="########-####-####-####-########77e1" subcomp="global-manager" username="system"] REST API failed: /api/v1/transport-zones GET null
 org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://###.###.###.###:443/api/v1/transport-zones": ############################################################; nested exception is javax.net.ssl.SSLHandshakeException: ############################################################
         at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:785) ~[spring-web-5.3.20.jar:5.3.20]
         at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:711) ~[spring-web-5.3.20.jar:5.3.20]
         at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:602) ~[spring-web-5.3.20.jar:5.3.20]
         at com.vmware.nsx.management.policy.policyframework.restutils.NsxTRestClient.sendRequest_aroundBody0(NsxTRestClient.java:182) ~[libpolicy-framework-api.jar:?]

 

Environment

VMware NSX

Cause

Local Manager thumbprints need to be updated on the Global Manager when replaced.

Resolution

On a Local Manager node, login in to the CLI as admin
Input the command, "get certificate cluster thumbprint" and take note of the thumpbrint returned. 


On the GM update the SHA-256 Thumbprint
 From the Glocal Manager UI, Click the System Tab,  Click Location Manager on the left,  select Locations and choose the Local Manager. Click Actions and then select Edit Settings. 
 Update the SHA-256 Thumbprint. Verify and Save. 
 
Alternatively: Follow the KB https://knowledge.broadcom.com/external/article?articleNumber=322476

 

Powered by Wolken Software