Expired Local Manager Certificate cannot be replaced with CARR script after rebuilding an NSX manager node
search cancel

Expired Local Manager Certificate cannot be replaced with CARR script after rebuilding an NSX manager node

book

Article ID: 411349

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Issue occurs after at least one of the NSX manager nodes were previously replaced/rebuilt
  • Within the NSX UI > System > Certificates, the "Local Manager" shows as Expired
  • On the Certificates page, next to the expired certificate, when clicking on the number value under the "Where Used" column, it shows vertical lines for "Location / Node id"

  • When running the following API call:

    GET /api/v1/trust-management/certificates/<certificate_ID>

    • This shows an invalid node_id value:

        "used_by" : [ {
          "node_id" : "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
          "service_types" : [ "LOCAL_MANAGER" ]
        }, {

  • When running the CARR script from KB 369034, a new replacement certificate is created, but does not get applied successfully

Environment

NSX 4.x

Cause

  • Removing and rebuilding an NSX manager may cause the Local Manager certificate to contain an invalid node ID
  • Since the node ID is invalid, the CARR script is not able to replace the certificate successfully

Resolution

  1. Within NSX UI > System > Certificates, locate the newly created certificate for the "Local Manager" service
  2. Confirm the new certificate has a value of "0" in the "Where Used" column
  3. Expand the entry for the certificate and copy the "ID" value
  4. Copy the NSX manager UUID by going to the NSX UI > System > Appliances, click on the View Details for the replaced NSX manager, and click on the Copy to Clipboard icon next to "UUID"
  5. Use the API calls in the following documentation for replacing certificates:
    https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-1/administration-guide/certificates/importing-certificates/replace-certificates-through-api.html
  6. Verify that the certificate is valid by making the following API call:

    GET /api/v1/trust-management/certificates/<certificate_ID>?action=validate

  7. To replace the API certificate of a manager node, use the following API call.

    POST /api/v1/trust-management/certificates/<certificate_ID>?action=apply_certificate&service_type=LOCAL_MANAGER&node_id=<manager_node_uuid>

    • Replace <certificate_ID> with the certificate ID from Step 3
    • Replace <manager_node_uuid> with the manager node UUID from Step 4

  8. Confirm on the NSX UI > System > Certificate page that the new certificate has been applied to the Local Manager service
Powered by Wolken Software