NSX Compute Manager "Failed to import trusted root certificate for computer manager" "Error code 90348" after vCenter Cert Renewal
search cancel

NSX Compute Manager "Failed to import trusted root certificate for computer manager" "Error code 90348" after vCenter Cert Renewal

book

Article ID: 424354

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • vCenter root CA certificate was replaced with a new certificate that does not contain a Common Name (CN) in the Issuer and Subject fields
  • NSX Compute Manager connectivity goes DOWN after the certificate replacement
  • Attempts to edit the Compute Manager to import the new root certificate fail
  • NSX is unable to find a valid trust root certificate for the vCenter server
  • Customer is blocked from restoring Compute Manager connectivity
  • The NSX manager reported the following error message: "Failed to import trusted root certificate for computer manager <name/IP> Try again. (Error code 90348)"

  • On the NSX Manager log, /var/log/cm-inventory/cm-inventory.log, has warnings similar to this example:

    <Date>T13:43:11.016Z  WARN http-nio-127.0.0.1-7443-exec-3 VcUtilsImpl 6104 SYSTEM [nsx@4413 comp="nsx-manager" level="WARNING" reqId="####" subcomp="cm-inventory" username="admin"] The CA cert : ######## is not valid due to Index 0 out of bounds for length 0
    <Date>T13:43:11.016Z  INFO http-nio-127.0.0.1-7443-exec-3 VcUtilsImpl 6104 SYSTEM [nsx@4413 comp="nsx-manager" level="INFO" reqId="####" subcomp="cm-inventory" username="admin"] No valid Trust Root Certificate found. Checking any valid Intermediate Certificate for compute manager : <VCENTER-SERVER-FQDN>
    <Date>T13:43:11.395Z  WARN http-nio-127.0.0.1-7443-exec-3 VcUtilsImpl 6104 SYSTEM [nsx@4413 comp="nsx-manager" level="WARNING" reqId="####" subcomp="cm-inventory" username="admin"] Found no valid root CA certificate for compute manager <VCENTER-SERVER-FQDN>

Environment

VMware NSX 9.x

Cause

The NSX root certificate identification logic relied solely on the Common Name (CN) field to match and validate the vCenter root CA certificate. When the vCenter root certificate was replaced with a certificate lacking a CN in the Subject field, NSX failed to identify it as a valid root certificate while updating Compute Manager, failing to import the certificate.

Resolution

This is a known issue impacting VMware NSX 9.

Replace the vCenter root CA certificate with a certificate that includes a Common Name (CN) in the Subject field. Edit the Compute Manager in NSX to re-import the updated certificate.

Powered by Wolken Software