K8S_MSG_CLIENT certificates can not be deleted after NAPP undeployment, causing expired certificate alarm on NSX Manager.
search cancel

K8S_MSG_CLIENT certificates can not be deleted after NAPP undeployment, causing expired certificate alarm on NSX Manager.

book

Article ID: 393976

calendar_today

Updated On:

Products

VMware vDefend Firewall with Advanced Threat Prevention VMware vDefend Firewall

Issue/Introduction

After NAPP undeployment, the K8S_MSG_CLIENT is left behind and cannot be deleted.

Even after involving GSS to delete the certificate, it gets added back to the Certificates UI after a while.

This certificate eventually expired and causing certificate expiry alarms that can not be resolved.

Environment

Any NSX version on which NAPP 4.2 is undeployed.

Cause

The certificate was written on disk when left behind. Removing the certificate from the trust-management system does not clean up the on-disk copy.

As a result, the system tries to repair itself after reboot and reintroduce the certificate back to the database.

Resolution

Please contact GSS to resolve the issue.

Additional Information

Note: To renew K8S_MSG_CLIENT self-signed certificate on NSX Manager UI when NAPP is deployed, follow below KB article:

https://knowledge.broadcom.com/external/article/387518/renewing-k8smsgclient-selfsigned-certifi.html

Powered by Wolken Software