Error: Failed to call POST nsxapi/api/v1/trust-management/certificates/UUID?action=apply_certificate returned with non-2xx error when configuring proxy certificate
search cancel

Error: Failed to call POST nsxapi/api/v1/trust-management/certificates/UUID?action=apply_certificate returned with non-2xx error when configuring proxy certificate

book

Article ID: 404023

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Configuring proxy setting for HTTPS fails with following error:



  • The following error is encountered during certificate validation:
    GET https://<nsx-mgr>/api/v1/trust-management/certificates/<certificate-id>?action=validate

    {
      "status" : "ERROR",
      "error_message" : "Certificate is not compliant as certificate of type SERVER: Certificate cannot be a CA certificate. (Basic constraints is TRUE)"
    }

  • In the NSX Manager logs /var/log/syslog, the following entries are observed:

    2025-07-01T13:06:07.751Z xxxx.xxxx NSX 5183 SYSTEM [nsx@6876 comp="nsx-manager" errorCode="MP2078" level="ERROR" reqId="xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx" subcomp="manager" username="admin"] Invalid Certificate - ERROR: Certificate is not compliant as certificate of type SERVER: Certificate cannot be a CA certificate. (Basic constraints is TRUE)
    2025-07-01T13:06:07.752Z xxxx.xx.xxx NSX 4367 MONITORING [nsx@6876 comp="nsx-manager" errorCode="MP701050" level="ERROR" subcomp="monitoring"] Fail to trigger POST nsxapi/api/v1/trust-management/certificates/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx?action=apply_certificate, unable to apply_certificate/release proxy's certificate.

    2025-07-01T13:06:07.753Z xxx.xx.xx NSX 4367 SYSTEM [nsx@6876 audit="true" comp="nsx-manager" level="INFO" subcomp="monitoring"] UserName:'[email protected]' ModuleName:'Monitoring' Operation:'PUT@/api/v1/proxy/config' Operation status: 'failure' Error: Failed to call POST nsxapi/api/v1/trust-management/certificates/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx?action=apply_certificate or POST nsxapi/api/v1/trust-management/certificates/f93b59f2-3b98-4ab1-9635-4ef65569abe8?action=apply_certificate returned with non-2xx error.



 

Environment

VMware Datacenter NSX-T
VMware NSX

Cause

This issue can occur when the CA certificate has an invalid format, for example it contains the root and intermediate certificates but does not contain the server(leaf) certificate. The format always should be leaf-intermediate-root.

Resolution

Ensure the certificate chain and configuration comply with the following guidelines:

1. Server Certificate Requirements

The server certificate must include the Basic Constraints field:

    • CA:FALSE

2. CA Certificate Chain Requirements

The root CA file and any intermediate certificates in the chain must include:

    • Basic Constraints: CA:TRUE

3. Certificate Chain Order

When uploading a CA-signed certificate, include the entire chain in the following order: server/leaf certificate - intermediate - root


Additional Information

To verify if the certificate is complaint with the requirements, review the NSX-T server certificate using openssl

  • On any system with openssl installed, use the command:
openssl x509 -in <path_to_NSXT_certificate_file> -noout -text

 

Adding additional document : Import a Self-signed or CA-signed Certificate

Powered by Wolken Software