NSX Certificate flagged by a vulnerability scanner as untrusted due to it being expired cannot be located within the NSX UI > certificates page.
Article ID: 432470
Updated On:
Products
VMware NSX
Issue/Introduction
- A vulnerability scanner such as Tenable Nessus or Qualys VMDR has flagged an NSX certificate as being "untrusted" due to it being expired. The scanner may provide information similar to the below:
"The following certificate was part of the certificate chain
sent by the remote host, but it has expired:
|-Subject : C=## /ST=######## /L=######## /O=############ /#############
|-Not After : Nov 07 06:57:16 20## GMT"
- Searching the NSX UI Certificates page does not find any expired certificates.
- If the expired certificate is for API service, logging into the NSX UI through the Manager FQDN/IP address associated with the expired cert, and then checking the connection status within the URL should show "Not Secure" next to the padlock symbol, as well as an expired expiration date within the General tab of the Certificate viewer. (when using Chrome)
Environment
VMware NSX 3.2.x, 4.0.x, 4.1.x, 4.2.x
Cause
- This is caused by a workflow and database logic error. The full release sequence related to the old certificate did not finish completely, resulting in one or more mapped references to the old certificate remaining in the database, despite the new certificate actively securing the service.
Resolution
- If you encounter this issue, run the CARR script attached to this KB: Using Certificate Analyzer, Results and Recovery (CARR) Script to fix certificate related issues in NSX
- Though the CARR script's primary use is to find and replace expired and expiring self-signed certificates, it will also discover discrepancies in cases where the certificate listed within the database doesn't match the certificate listed for the server (such as API), and then resolve the discrepancy. See below for an example of what the CARR script output may return:
- Though the CARR script's primary use is to find and replace expired and expiring self-signed certificates, it will also discover discrepancies in cases where the certificate listed within the database doesn't match the certificate listed for the server (such as API), and then resolve the discrepancy. See below for an example of what the CARR script output may return:
- If the issue persists after running the CARR script, please open a support request with Broadcom NSX support and reference this KB.
Feedback
Yes
No
Powered by
