NSX Upgrade Precheck fails due to a repo_sync issue on the NSX Managers
search cancel

NSX Upgrade Precheck fails due to a repo_sync issue on the NSX Managers

book

Article ID: 401590

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • While performing the Pre-checks, you will notice that the REPO_SYNC is in Failed state.
  • The following entries are observed in the NSX Managers logs /var/log/proton/nsxapi.log:
    INFO RepoSyncThread-1746706374224 RepoSyncFileHelper 5414 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Command to get server info for https://####:443/repository/<nsx version>/Manager/dry-run/dry_run.py returned result CommandResultImpl [commandName=null, pid=0, status=FAILED, errorCode=51, errorMessage=curl_wrapper: (51) SSL: no alternative certificate subject name matches target host name '####'

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Environment

VMware NSX 4.x

Cause

There is a single certificate applied to all 3 NSX Manager API services and the VIP.
The certificate has its CN (Common Name) matching one NSX Manager or the VIP FQDN, and not a wildcard.
Not all 3 NSX Managers and VIP FQDNs are included in the SAN (Subject Alternative Name) field.
When an NSX Manager tries to connect to another NSX Manager, which is not part of the certificate SAN entry, it will fail, as the certificate is not valid for that node.

Resolution

To resolve this issue:

  • Generate a new self-signed or CA-signed certificate, valid for all FQDNs:
    • Create a new CSR (Certificate Signing Request).
      • Starting in NSX 4.2.1, it is possible to create in the NSX UI a CSR with a SAN field.
      • Prior to NSX 4.2.1, the following API can be used: 
        NSX API /api/v1/trust-management/csrs-extended
      • Alternatively, the CSR can be created with openssl and imported in the NSX UI.
    • Set the Common Name field to the VIP FQDN.
    • Set the Subject Alternative Name field with:
      • VIP FQDN (repeat it)
      • All 3 NSX Manager FQDNs.
    • Apply the certificate to all 3 NSX Manager API services and VIP.
  • Or, create separate certificates for the VIP and each of the NSX Manager nodes.

Additional Information

Powered by Wolken Software