local-manager certificates can't be replaced or removed on the Global Manager
Article ID: 409743
Updated On:
Products
VMware NSX
Issue/Introduction
- VMware NSX Federation
- Global Manager has one or more expiring/expired local-manager certificates that are still being used:
- The expiring/expired certificates are used by two entities - Client Auth and Local Manager:
- Certificates on the Local Manager(s) were recently renewed (e.g. manually, or using the CARR script).
- GM's expiring/expired certificates cannot be renewed manually, or with the CARR script.
Environment
VMware NSX
Resolution
This is a condition that may occur in a VMware NSX environment.
If you believe you have encountered this issue (e.g. the CARR script doesn't resolve the expired/expiring certificates), please open a support case with Broadcom Support and refer to this KB article.
For more information, see Creating and managing Broadcom support cases.
Additional Information
If you are contacting Broadcom support about this issue, please provide the following:
- NSX Manager support bundles.
- Output of API run on the Global Manager:
GET https://<nsx_manager>/api/v1/trust-management/principal-identities - Text of any error messages seen in NSX GUI or command lines pertinent to the investigation.
Handling Log Bundles for offline review with Broadcom support:
- Collect Support Bundles for Troubleshooting VMware NSX
- Uploading files to cases on the Broadcom Support Portal
- Creating and managing Broadcom support cases
Also see KB article: LocalManager certificate expired and CARR did not solve the issue.
Feedback
Yes
No
Powered by
