Error 90011 "Failed to enable trust on Compute Manager" in NSX after vCenter Server certificate replacement
Article ID: 431963
Updated On:
Products
Issue/Introduction
- VMware Cloud Foundation (VCF) SDDC Manager certificate replacement tasks (e.g., VMCA to a Microsoft CA or Custom CA) fail at the NSX retrust step.
- The following error is observed in the SDDC Manager UI during the task, as well as in the NSX Compute Manager UI:
Error: Failed to enable trust on Compute Manager due to error No thumbprint is configured for the OIDC endpoint, and no trusted CA certificate for the OIDC endpoint has been imported. Import a trusted CA for this endpoint... (Error code: 90011)
- In the NSX UI (System > Compute Managers), the vCenter Compute Manager displays a Registration Status of "Registered with Errors".
- Under
/var/log/cm-inventory/cm-inventory.logon the NSX Manager Appliance, confirm that the NSX Manager successfully imports the new vCenter Root CA into thecacert_storewhen the user saves the CM configuration:INFO http-nio-127.0.0.1-7443-exec-4 MpRestService 78970 SYSTEM [nsx@4413 comp="nsx-manager" level="INFO" reqId="########-####-####-####-############" subcomp="cm-inventory" username="<redacted>"] Successfully imported trusted root certificate for compute manager <compute-manager-hostname> into cacert_store - While the Root CA import is successful, the subsequent process of registering the vCenter OIDC (OpenID Connect) endpoint in the NSX trust store fails.
Environment
- VCF 9.x
- NSX 9.x
Cause
The 'Failed to enable trust on Compute Manager' error is caused by a conflict in the Trust Management API. Specifically, two distinct certificate entries were found for the same vCenter FQDN, preventing the trust establishment process from identifying a unique, valid certificate.
Resolution
Update the compute manager thumbprint and access credentials via a REST API call to the NSX Manager.
Obtain the current
_revisioninteger and Compute Manager ID by querying the NSX Manager API
API Command:GET https://<NSX_MANAGER_FQDN_OR_IP>/api/v1/fabric/compute-managersCurlCommand:curl -l -k -u 'admin' -H 'Content-Type:application/json' -X GET https://<NSX_MANAGER_FQDN_OR_IP>/api/v1/fabric/compute-managersObtain the new SHA-256 thumbprint of the vCenter Server machine SSL certificate.
vCenter thumbprint:openssl s_client -connect <vcenter-ip/fqdn>:443 </dev/null 2>/dev/null | openssl x509 -fingerprint -sha256 -noout -in /dev/stdinExecute the following API call to update the Compute Manager:
API Command:PUT https://<NSX_MANAGER_FQDN_OR_IP>/api/v1/fabric/compute-managers/<COMPUTE_MANAGER_ID>
Curl Command:curl -l -k -u 'admin' -H 'Content-Type:application/json' -X PUT https://<NSX_MANAGER_FQDN_OR_IP>/api/v1/fabric/compute-managers/<COMPUTE_MANAGER_ID> -d @payload.jsonSupply the following JSON payload body: Create a file with the following information and save it as
payload.json{"server": "<VCENTER_FQDN_OR_IP>","origin_type": "vCenter","credential": {"credential_type": "UsernamePasswordLoginCredential","thumbprint": "<VC_MACHINE_SSL_CERT_SHA256_THUMBPRINT_step_2>","username": "<VCENTER_USERNAME>","password": "<VCENTER_PASSWORD>"},"_revision": <CURRENT_REVISION_step_1>}Verify the API request returns an
HTTP 200 OKstatus.Allow time for the vCenter Server to undeploy and redeploy the NSX plugin.
In the NSX UI, verify that the Compute Manager Registration Status returns to "Registered" and the Connection Status is "Up", with zero active alarms.
Additional Information
Ensure the provided SHA-256 thumbprint is formatted correctly per API requirements (e.g., uppercase with colons, or as accepted by the specific NSX version API schema, e.g. lowercase with no colons).
Feedback
