Unable to onboard remote host due to incorrect thumbprint. (Error code: 500340) after Certificate replacement
search cancel

Unable to onboard remote host due to incorrect thumbprint. (Error code: 500340) after Certificate replacement

book

Article ID: 407076

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • You are using NSX Federation environment 
  • Using CARR script, certificates has been replaced. After the certificate replacement, the segments, T0/T1 Gateways show as "Unknown" in both Active/Standby Global Managers while doing "Check Status"
  • But the same segments and gateways on respective Local Managers will remain success.
  • On NSX UI, Under location managers, we do notice error message as "Unable to onboard remote host due to incorrect thumbprint. (Error code: 500340)"

    Note: Occasionally, the UI doesn't shows this error message but the mismatch thumbprint behavior message is observed in Global-manager Syslog entries.

    [nsx@6876 comp="global-manager" level="INFO" subcomp="global-manager"] checkServerTrusted: C=US,ST=CA,L=Palo Alto,OU=NSX,O=VMware Inc.,CN=local_manager1.vmware.org for authType=ECDHE_RSA failed: ######25223741ab######7cf3abe01#######9a2312######954c1ad0######
    2025-08-10T01:22:21.848Z NSX-A-LM01.vmware.org NSX 148969 POLICY [nsx@6876 comp="global-manager" level="WARNING" subcomp="global-manager"] REST API failed: /policy/api/v1/global-infra/realized-state/status?intent_path=/global-infra/tier-0s/A-3-B-GM-TIER0 GET { }
    2025-08-10T01:22:21.849Z NSX-A-LM01.vmware.org NSX 148969 POLICY [nsx@6876 comp="global-manager" errorCode="PM500016" level="
    22:23.141Z local_manager1.vmware.org NSX 148969 SYSTEM [nsx@6876 comp="global-manager" level="WARNING" subcomp="global-manager"] Thumbprint mismatch for ######25223741ab######7cf3abe01#######9a2312######954c1ad0######



Environment

NSX Version 4.1.x

Cause

This situation is caused by the Local Manager's thumbprint not matching with the thumbprint configured on Global Manager and needs to be updated.

Resolution

  • Follow this path to update the thumbprint:
    • GM > Location Manager > Edit Location > Update the thumbprint 

  • The thumbprint can be verified by connecting via SSH to one of the Local Manager nodes and running the command 'get certificate cluster thumbprint'.
Powered by Wolken Software