While deploying a New VCF 9 Instance via VCF Installer, Brownfield Import fails at "Generate inputs for configuring NSX Manager after Import" with SslException: certificate_unknown
search cancel

While deploying a New VCF 9 Instance via VCF Installer, Brownfield Import fails at "Generate inputs for configuring NSX Manager after Import" with SslException: certificate_unknown

book

Article ID: 432253

calendar_today

Updated On:

Products

VCF Operations

Issue/Introduction

  • During a VMware Cloud Foundation (VCF) 9 Brownfield Import, the workflow fails at the task "Generate inputs for configuring NSX Manager after Import".

  • This issue is observed after encountering an initial error "Certificate for <NSX_FQDN> doesn't match any of the subject alternative names" and subsequently regenerating the NSX Manager certificates (by following vCenter import fails at pre-checks with error message "Cause: Certificate for doesn't match any of the subject alternative names).

  • /var/log/vmware/vcf/domainmanager/domain-manager.log on the VCF appliance:

    ERROR [vcf_dm, ################################, ####] [c.v.v.c.n. s.c.c.ComplexHelpers, dm-exec-33] Exception occurred during NSX API invocation
java. util. concurrent. ExecutionException:com.vmware.vapi.client.exception. SslException:certificate_unknown (46)
Caused by: java. security.cert. CertificateException: Unable to construct a valid chain
at org.bouncycastle. jsse.provider. ProvX509TrustManager. validateChain (ProvX509TrustManager. java: 317)
at org.bouncycastle. jsse.provider. ProvX509TrustManager.checkTrusted (ProvX509TrustManager. java : 272)
at org. bouncycastle. jsse.provider . ProvX509TrustManager . checkServerTrusted (ProvX509TrustManager. java : 181)
at org. bouncycastle. jsse.provider. ProvSSLSocketWrap. checkServerTrusted (ProvSSLSocketWrap. java : 127)
... 59 common frames omitted
Caused by: java. security.cert. CertPathBuilderException: Unable to find certificate chain.
at org. bouncycastle. jcajce.provider. PKIXCertPathBuilderSpi_8. engineBuild (Unknown Source)
at java. base/java. security.cert. CertPathBuilder.build (CertPathBuilder. java: 297)
at org. bouncycastle. jsse.provider. ProvX509TrustManager . buildCertPath (ProvX509TrustManager . java : 245)
at org.bouncycastle. jsse. provider. ProvX509TrustManager. validateChain (ProvX509TrustManager. java : 300)
... 62 common frames omitted

ERROR [vcf_dm,################################] [c.v.v.c.n.s.c.c.ComplexHelpers,dm-exec-16]  Exception occurred during NSX API invocation
ERROR [vcf_dm,################################] [c.v.v.c.service.ResourceCacheService,dm-exec-16]  Error happened during isConfigRealizedCheck on resource ################################ of drift ################################. Will re-try in the next refresh cycle.
com.vmware.vcf.configreconciler.common.error.ConfigReconcilerCommonException: Failed to check if configuration associated with drift ################################ is already realized on resource certificate_unknown(46) due to {2}. The system will automatically retry this check in the next cache refresh cycle.

Environment

VCF 9.0.x

Cause

This issue occurs because the VCF appliance does not trust the newly generated NSX Manager certificate. When VCF attempts to make an API invocation to the NSX Manager, it is unable to construct a valid certificate chain or verify the certificate, resulting in an SSL handshake failure (certificate_unknown).

Resolution

To resolve this issue, we can manually extract the new certificate from the NSX Manager and import it into the VCF appliance's commonsvcs and java trust stores.

1. Log in to the VCF appliance via SSH using the vcf user account.

2. Switch to the root user by running the following command:

  • su - root

3. Run the following command to retrieve and export the certificate from the NSX Manager to the VCF appliance. (Note: Replace <NSX-FQDN> with the actual Fully Qualified Domain Name or IP address of your NSX Manager).

  • openssl s_client -connect <NSX-FQDN>:443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > /tmp/nsx_manager.crt

4. Obtain the VCF trusted certificates key by issuing the following command:

  • KEY=$(cat /etc/vmware/vcf/commonsvcs/trusted_certificates.key)

5. Import the NSX certificate into the VCF commonsvcs trust store:

  • keytool -importcert -alias nsx -file /tmp/nsx_manager.crt -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store --storepass $KEY
    (Type yes if prompted to trust the certificate).

6. Import the NSX certificate into the Java trust store:

  • keytool -importcert -alias nsx -file /tmp/nsx_manager.crt -keystore /etc/alternatives/jre/lib/security/cacerts --storepass changeit
    (Type yes if prompted to trust the certificate).

7. Restart the VCF services to apply the new trust store configuration:

  • /opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager_restart_services.sh

8. Once all services are fully restarted and healthy, return to the SDDC Manager UI and retry the Brownfield Import task.

Powered by Wolken Software