Provisioning of an on-demand networks in NSX from VMware Aria Automation 8.18 fails
search cancel

Provisioning of an on-demand networks in NSX from VMware Aria Automation 8.18 fails

book

Article ID: 403140

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Provisioning of an on-demand networks in NSX from Aria Automation 8.18 failing for a newly added vCenter and NSX endpoint
  • Error that is seen in vRA while provisioning: (This the mp-cluster certificate of the NSX manager)

Environment

VMware NSX

VMware Aria Automation 8.18

Cause

We see that the NSX cluster certificate has just the short name in the SAN field causing the handshake to fail with vRealize Orchestrator (vRO)

Resolution

NSX must be updated with a new certificate with the NSX FQDN in the SAN fields of the certificate for a successful handshake with vRealize Orchestrator(vRO):

Steps to perform:

To configure the new self signed certificate for the cluster in NSX, we would need to follow the steps below: (reference doc: creating a self signed certificate: Create a Self-Signed Certificate and replacing NSX VIP cluster certificate: Replacing NSX VIP cluster certificate

1. With admin privileges, log in to NSX Manager.
2. Create a new self signed certificate under System > Certificates > CSR tab (Make sure that when this certificate is created, the option Service Certificate was set to No). Also to make sure SAN filed has the NSX FQDN

3. For the new certificate, in the ID column under Certificates section represents the cert-id that is to be used in steps 4 and 5
4. Verify that the certificate is valid by making the following API call:
GET https://<nsx-mgr>/api/v1/trust-management/certificates/<cert-id>?action=validate

5. To replace the certificate of the manager cluster VIP, use the following API call:
POST /api/v1/trust-management/certificates/<cert-id>?action=apply_certificate&service_type=MGMT_CLUSTER

Powered by Wolken Software