Failed to replace certificate for AVI portal certificate from SDDC
search cancel

Failed to replace certificate for AVI portal certificate from SDDC

book

Article ID: 420817

calendar_today

Updated On:

Products

VMware NSX VMware SDDC Manager VMware Avi Load Balancer

Issue/Introduction

  • Failed to replace certificate for AVI portal certificate from SDDC

  • SDDC operationsmanager log:

Exception occurred during NSX API invocation
java.util.concurrent.ExecutionException: com.vmware.vapi.std.errors.InvalidRequest: InvalidRequest (com.vmware.vapi.std.errors.invalid_request) => {
    messages = [],
    data = struct => {error_message=Error: Failed to update Portal Certificate in NSX ALB Controller., httpStatus=BAD_REQUEST, error_code=500016, module_name=Policy},
    errorType = INVALID_REQUEST
}

Post install validate certificate integrity, Certificate replacement status FAILED

  • NSX nsxapi log showing remote_auth_configurations is not parsed in system configuration payload

     Query ALB system configuration:

INFO http-nio-127.0.0.1-7440-exec-12 AlbControllerConfigurationUtils 6719 POLICY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] [ALB Controller] [Clustering id null] JSON is {"_last_modified":"######","admin_auth_configuration":{"allow_local_user_login":true,"remote_auth_configurations":[{"auth_mapping_profile_ref":"https://AVI_VIP/api/authmappingprofile/authmappingprofile-690898ae-########1157######vidm-authmapping-profile",

     Parse the system configuration payload and remote_auth_configurations is missing

INFO http-nio-127.0.0.1-7440-exec-12 AlbControllerNodeConfiguration 6719 POLICY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] [ALB Controller] System configuration payload is {"admin_auth_configuration":{"allow_local_user_login":true},"common_criteria_mode":false

    Unable to update the system configuration:

NFO http-nio-127.0.0.1-7440-exec-12 AlbControllerConfigurationUtils 6719 POLICY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] REST API https://AVI_VIP/api/systemconfiguration/?include_name failed with throwable 400 Bad Request: "{"error":"There must be at least 1 remote/service auth configured in admin_auth_configuration"}"

Environment

VMware NSX

VMware SDDC Manager

VMware Avi Load Balancer

Cause

The remote_auth_configurations is not parsed during replacing ALB portal certificate from SDDC

Resolution

To resolve this issue:

1: Temporally modify Authentication to Local from ALB Controller

2: Replace the ALB portal certificate from SDDC

3: Change Authentication back to Remote from ALB Controller

Additional Information

https://techdocs.broadcom.com/us/en/vmware-security-load-balancing/avi-load-balancer/avi-load-balancer/30-2/vmware-avi-load-balancer-administration-guide/user-authentication-and-authorization/enabling-saml-authentication-in-nsx-advanced-load-balancer.html

 

Powered by Wolken Software