After redeploying NSX Manager, repo sync is in failed status
search cancel

After redeploying NSX Manager, repo sync is in failed status

book

Article ID: 395087

calendar_today

Updated On: 04-22-2025

Products

VMware NSX VMware NSX for vSphere

Issue/Introduction

In the NSX Manager UI System Overview page, one or more NSX Managers show Repository Sync State in red with error "Sync Failed".

This occurs after at least one NSX Manager has been redeployed.

Your NSX version is 4.2 or later and was upgraded from 4.1.x or earlier.

You are using custom or 3rd party CA certificates for the NSX API and UI access.

In /var/log/syslog you see the error:

NSX 436657 - [nsx@6876 comp="nsx-manager" subcomp="curl_wrapper" username="uproton" level="INFO"] certificate verification <CERTIFICATE UUID> from <FQDN>:443 failed: SSL: no alternative certificate subject name matches target host name '<FQDN>'

Environment

NSX 4.2 or later

Cause

From NSX version 4.2 and on, the API certificates for the NSX manager nodes is shared with the cluster VIP.  In previous versions, manager nodes and the VIP all had their own certificates assigned for API and cluster access.

If you use custom certs for API and cluster access, they generally weren't created with Subject Alternative Names and Subject Alternative IPs (SAN/SAI).  

Upgraded NSX managers retain their certificates from older versions, thus each manager still functions as it did previously.  However, if a new manager is deployed (to replace a failing manager or change the manager deployment size) the new appliance binds to the cluster VIP certificate.  If it does not have a SAN or SAI that matches the node IP, the cert will fail to properly identify the server and the repo sync will fail.

Resolution

This can be resolved by creating a new certificate for the Cluster VIP, either self signed or via a 3rd party CA, that includes the Subject Alternative Name and Subject Alternative IP for all NSX manager nodes in the cluster.

For details on how to create certificates for NSX services, please refer to the Certificates section of the online documentation.