In TKGi 1.19.2 after running the below command you see error message Error: status 400 reading NSXClient#bindPrincipalIdentities(UpdatePICertificateRequest)
tkgi rotate-certs <cluster_name> --only-nsx
followed by below error:
cluster status changed to "failed".
TKGi 1.19.2
tkgicli 1.19.0-build.148
NSX 4.2.1.0.0.24304122
NSX 4.2 implemented a check for the certificate replacement of same kind, it only allows:
replace "certificate with private key" with new "certificate with private key"
replace "certificate without private key" with new "certificate without private key"
Depending on if the PI certificate is rotated already or not, it can be with private key or without private key, so we need to try both cases.
Manual solution
Follow manual solution outlined in Article 330615
Permanent fix
Upgrade to TKGi 1.20.0 or above, as a fix has been implemented so that command 'tkgi rotate-certs <cluster_name> --only-nsx' operates successfully and rotates based on the change in NSX 4.2 outlined in the cause section above.