Resolving Disconnected NSX-T Transport Node Due to SSL Certificate Mismatch
search cancel

Resolving Disconnected NSX-T Transport Node Due to SSL Certificate Mismatch

book

Article ID: 432681

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

 

  • A single or multiple transport nodes (ESXi hosts) are showing a status of Down or Disconnected in the NSX Manager UI.

  • When logged into the affected ESXi host, running the nsxcli command shows the controller status as Disconnected.

 

Environment

VMware NSX

Cause

The ESXi host and the NSX Manager are rejecting each other's SSL verification, resulting in a failure to establish the management plane connection. Both the manager and the host log each other's SSL certificates as "unknown."

Common reasons for this mismatch include:

  • The NSX Manager's SSL certificate was recently replaced or renewed.

  • There was a typographical error in the thumbprint during the initial host configuration.

  • An SSL-inspecting firewall or proxy is situated between the ESXi host and the NSX Manager, altering the certificate presented.

Resolution

To resolve this issue, you must retrieve the current, exact SHA-256 certificate thumbprint directly from the NSX Manager and manually re-establish trust from the ESXi host.

Step 1: Retrieve the Correct NSX Manager Thumbprint Choose one of the following methods to obtain the correct thumbprint:

  • Method A: Via NSX Manager CLI (Recommended)

    1. SSH into the primary NSX Manager appliance using the admin account.

    2. Run the following command: get certificate api thumbprint

    3. Copy the resulting alphanumeric string.

  • Method B: Via OpenSSL (Alternative) Use this method from the ESXi host or another Linux machine if you cannot SSH into the NSX Manager.

    1. Run the following command (replace <NSX-Manager-IP> with your manager's actual IP address): echo -n | openssl s_client -connect <NSX-Manager-IP>:443 2>/dev/null | openssl x509 -noout -fingerprint -sha256

    2. Note: You must remove the SHA256 Fingerprint= prefix and all colons (:) from the output to get the raw string required for Step 2.

Step 2: Rejoin the Transport Node Apply the retrieved thumbprint to the affected host to explicitly instruct it to trust the NSX Manager's current SSL certificate.

  1. SSH into the disconnected ESXi host.

  2. Run the following command to rejoin the management plane: nsxcli -c join management-plane <NSX-Manager-IP> username admin thumbprint <Correct-Thumbprint> password <admin-password> (Ensure you substitute the bracketed variables with your environment's actual IP, thumbprint, and password).

Once executed, verify the connection status in the NSX UI; the node should transition back to an Up state.

Powered by Wolken Software