NSX-T Login page is not redirecting to vIDM (WorkspaceONE) after certificates renewal
search cancel

NSX-T Login page is not redirecting to vIDM (WorkspaceONE) after certificates renewal

book

Article ID: 396503

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • After certificate renewal, the NSX manager login page is not redirecting to the vIDM (WorkspaceONE) login page, with error message similar to: 
    Workspace ONE Access is not accessible. Log in to NSX Manager using your local user account
  • In the NSX Manager /var/log/proton/nsxapi.log you see the errors similar to: 
    INFO providerTaskExecutor-1-30 NsxTrustManager 76712 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] checkServerTrusted: CN=####,O=####.,L=####,ST=####,C=#### for authType=ECDHE_RSA failed: CRL check failed: Couldn't find signing principal of the CRL CN=####,OU=####,O=####,L=####,ST=####,C=####
  • You can log in successfully using local accounts. 

Environment

VMware NSX

Cause

The error indicates that while verifying the CRL, the system was unable to locate the signing principal (the public key or certificate of the entity that signed the CRL). This typically means there is a problem with the CRL's signature or its association with a trusted authority. 

Resolution

This is a condition that may occur in a VMware NSX environment.

If you believe you have encountered this issue, please make sure the CRL certificate is signed correctly and also verify the CDP configuration.

A way to workaround the issue, or in case the CA is not configured to handle CRL requests (e.g. PSC) is to disable this call-back function on the NSX-T manager. 

1. The API below returns a few flags in a JSON structure, one of which is "crl_checking_enabled": "true".

GET https://<NSX Manager>/policy/api/v1/infra/security-global-config

JSON response: 
{
    "crl_checking_enabled": true,
    "ca_signed_only": false,
    "eku_checking_enabled": true,
    "id": "#########-####-####-####-###########",
    "_create_time": 1679339007871,
    "_create_user": "system",
    "_last_modified_time": 1679339007871,
    "_last_modified_user": "system", "_protection": "NOT_PROTECTED",
    "_revision": 0
}

2. Modify "crl_checking_enabled" to "false" and use that JSON structure as body for the API

PUT https://<NSX Manager>/policy/api/v1/infra/security-global-config

"crl_checking_enabled": false

Additional Information

CRL (Certificate Revocation List) is a list of certificates that have been revoked by the Certificate Authority (CA) before their expiration date. When a system is checking a certificate's validity, it may also verify that the certificate isn't listed in the CRL.

Powered by Wolken Software