Apply Certificate fails with Error: Principal '<username>' with role '<role>' attempts to delete or modify an object of type nsx$Certificate it doesn't own.
search cancel

Apply Certificate fails with Error: Principal '<username>' with role '<role>' attempts to delete or modify an object of type nsx$Certificate it doesn't own.

book

Article ID: 401094

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Run following API to apply certificates to NSX Manager nodes or cluster :
      POST /api/v1/trust-management/certificates/<certificate_uuid>?action=apply_certificate&service_type=MGMT_CLUSTER
      POST /api/v1/trust-management/certificates/<certificate_uuid>?action=apply_certificate&service_type=API&node_id=<node_uuid>
  • NSX Manager responses Error: 
    {
      "httpStatus" : "BAD_REQUEST",
      "error_code" : 289,
      "module_name" : "common-services",
      "error_message" : "Principal '<username>' with role '<role>' attempts to delete or modify an object of type nsx$Certificate it doesn't own. (createUser=nsx_policy, allowOverwrite=null)"
    }
  • syslog under /var/log shows Error:
    <TIMESTAMP> <HOSTNAME> NSX 10511 SYSTEM [nsx@6876 comp="nsx-manager" errorCode="MP289" level="ERROR" reqId="<reqId>" subcomp="manager" username="<username>"] Principal '<principal>' with role '<role>' attempts to delete or modify an object of type nsx$Certificate it doesn't own. (createUser=nsx_policy, allowOverwrite=null)
  • Certificate is created by nsx_policy.
    GET api/v1/trust-management/certificates/<certificate_id> or desired_state_manager.json in log bundle shows
    "_create_user": "nsx_policy"

Environment

NSX 4.x
NSX-T Data Center 3.x

Cause

Service Certificate cannot be used for NSX Manager nodes or cluster.

Resolution

Create or Import a certificate with Service Certificate No.

Additional Information

Powered by Wolken Software