Expiring CA certificate assigned to API services of VIP Errors: Index 0 out of bounds for length 0
Article ID: 409445
Updated On:
Products
Issue/Introduction
- During the certificate replacement process, an error was encountered through the NSX Manager GUI:
Error with details: Index 0 out of bounds for length 0
- Upon reviewing the NSX manager logs in
/var/log/syslog, the following error was identified:
- Additionally, a
GETAPI call confirmed that the expired certificate was still attached to the VIP node with the Service API. - A new certificate has since been imported successfully across all four nodes.
Environment
VMware NSX
Cause
The issue occurred because the certificate with service type API was still assigned to the site-id and had not been released.
Resolution
To address the issue, the certificate with service type API assigned to the site-id must first be released before it can be deleted from the NSX Manager UI.
-
Make sure a new CA-signed certificate has already been imported successfully through the GUI.
-
Global Managers (GMs) are not permitted to release certificates via API, and the CARR script does not resolve this issue.
-
Ensure that the VIP does not have a certificate assigned to the Service API.
-
You can verify this by checking:
cat /config/site-manager/siteId
To release the certificate, log in to the NSX terminal and invoke the release API. The required API call will be validated and provided by Broadcom Engineering.
If you believe release API called is necessary , please open a support case with Broadcom Support and reference this KB article.
For more information, see Creating and managing Broadcom support cases.
Additional Information
Further, the following errors is found in the NSX manager logs in /var/log/proton/nsxapi.log
2025-10-23T18:55:07.457Z WARN Thread-36 CertificateBatchServiceImpl 2576470 - [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="manager"] Error during batch operation: Index 0 out of bounds for length 0
java.lang.IndexOutOfBoundsException: Index 0 out of bounds for length 0
at jdk.internal.util.Preconditions.outOfBounds(Unknown Source) ~[?:?]
at jdk.internal.util.Preconditions.outOfBoundsCheckIndex(Unknown Source) ~[?:?]
at jdk.internal.util.Preconditions.checkIndex(Unknown Source) ~[?:?]
at java.util.Objects.checkIndex(Unknown Source) ~[?:?]
at java.util.ArrayList.get(Unknown Source) ~[?:?]
at com.vmware.nsx.management.truststore.service.impl.TrustStoreServiceImpl.checkEndpointCertificate(TrustStoreServiceImpl.java:1783) ~[?:?]
at com.vmware.nsx.management.truststore.service.impl.TrustStoreServiceImpl.applyCertificate(TrustStoreServiceImpl.java:1687) ~[?:?]
at com.vmware.nsx.management.truststore.service.impl.TrustStoreServiceImpl.applyCertificate(TrustStoreServiceImpl.java:1570) ~[?:?]
at com.vmware.nsx.management.truststore.service.impl.CertificateBatchServiceImpl.executeReplaceOperation(CertificateBatchServiceImpl.java:356) ~[?:?]
2025-10-23T18:55:07.463Z INFO Thread-36 CertificateBatchServiceImpl 2576470 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Update operation ########-####-####-####### (status=ERROR)
Additionally, the NSX manager under /var/log/syslog, will show the errors below
2025-10-23T18:55:07.306Z <NSX-Manager-FQDN> NSX 2576470 - [nsx@6876 comp="nsx-manager" level="WARNING" reqId="#######-####-####-########" subcomp="manager" username=""] Node status doesn't exist for node "#######-####-####-########"
2025-10-23T18:55:07.457Z <NSX-Manager-FQDN> NSX 2576470 - [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="manager"] Error during batch operation: Index 0 out of bounds for length 0
Feedback
