"NCP Plugin Down" critical alert in NSX Manager UI after Active Directory/LDAPS certificate updates
Article ID: 426124
Updated On:
Products
VMware NSX
Issue/Introduction
- The user account for the Tanzu Kubernetes' Network Container Plugin (NCP) authenticates in NSX Manager via LDAPS.
- Alarms clear on their own after some time but come back again repeatedly. There may be many Resolved alarms present even if none currently show Open.
- The connection status for the LDAP(s) Identity Source in the NSX UI under System> User Management may fluctuate between Success and Failed.
-
In the NSX Manager
syslogorauth.log(in /var/log), the following error message may be observed during failed authentication attempts:"No issuer certificate for certificate in certification path found"
Cause
This occurs when the SSL/TLS certificate currently presented by the LDAP server does not match the CA or leaf certificate stored in the NSX Manager’s trust store.
Resolution
Import any needed CA certificates to NSX Manager and update the Authentication Provider configuration as shown at:
- (KB 415306) Active Directory users login to NSX Manager fails with an error "Unable to get local issuer certificate and Unable to verify the first certificate" if there is not a load balancer with multiple active directory servers configured.
- (KB 425542) Intermittent Active Directory (AD/LDAPS) Authentication Failures in NSX Manager when using a Load Balancer for multiple AD Servers for environments using a VIP that can redirect to various active directory servers/domain controllers for authentication.
Additional Information
NCP Plugin Down alarms may also trigger due to time sync issues between NSX Manager, vCenter Server, and the NCP Supervisor cluster as shown at (KB 399564) NCP Plugin Down.
Feedback
Yes
No
Powered by
