tkgi rotate-certs fails with Error status 400
search cancel

tkgi rotate-certs fails with Error status 400

book

Article ID: 388206

calendar_today

Updated On:

Products

VMware Tanzu Kubernetes Grid Integrated Edition

Issue/Introduction

In TKGi 1.19.2 after running the below command you see error message Error: status 400 reading NSXClient#bindPrincipalIdentities(UpdatePICertificateRequest)

tkgi rotate-certs <cluster_name> --only-nsx

followed by below error:

cluster status changed to "failed".

 

Environment

TKGi 1.19.2
tkgicli 1.19.0-build.148
NSX 4.2.1.0.0.24304122

Cause

NSX 4.2 implemented a check for the certificate replacement of same kind, it only allows:

replace "certificate with private key" with new "certificate with private key" 
replace "certificate without private key" with new "certificate without private key"

Depending on if the PI certificate is rotated already or not, it can be with private key or without private key, so we need to try both cases.

Resolution

Manual solution

Follow manual solution outlined in Article 330615

Permanent fix

Upgrade to TKGi 1.20.0 or above, as a fix has been implemented so that command 'tkgi rotate-certs <cluster_name> --only-nsx' operates successfully and rotates based on the change in NSX 4.2 outlined in the cause section above.