Registration Issues for Avi on NSX Manager Due to Certificate Validation Failure
search cancel

Registration Issues for Avi on NSX Manager Due to Certificate Validation Failure

book

Article ID: 439998

calendar_today

Updated On:

Products

VMware Avi Load Balancer VMware NSX

Issue/Introduction

  • During Avi Controller onboarding with NSX Manager, the registration process fails.The following error may be observed:"Error creating User/Role in Avi Load Balancer Controller. Please try again."
  • The onboarding workflow may remain incomplete, or the Avi endpoint registration may fail repeatedly.

Environment

 

  • VMware NSX-T Data Center
  • NSX Manager integrated with Avi Controller

 

Cause

NSX Manager does not trust the Avi Controller certificate chain during onboarding. As a result:

  • NSX fails to create the required Avi user roles (nsxt-alb, nsxt-ako).
  • The onboarding workflow remains incomplete.

Diagnosis

1. Check the current ALB endpoint status:

 
curl -k -u 'admin:<password>' --location --request GET \
https://<nsx-manager-ip>/policy/api/v1/infra/sites/default/enforcement-points/alb-endpoint

If the response shows "status": "DEACTIVATE_API", the endpoint must be deleted before re-onboarding.

 

2. Check NSX Manager logs at /var/log/proton/nsxapi.log. The following entry confirms a certificate trust issue:

REST API failed: https://<Avi Controller IP>/api/role
PKIX path building failed: java.security.cert.CertPathBuilderException:
Unable to find certificate chain.
SSLHandshakeException: PKIX path building failed.

Resolution

Step 1  Remove the Existing ALB Endpoint (only if status is DEACTIVATE_API)

curl -k -X DELETE \
https://<nsx-mgr-ip>/policy/api/v1/infra/sites/default/enforcement-points/alb-endpoint \
-u admin:'<password>'

If the status is not DEACTIVATE_API, skip to Step 2.

Step 2 — Import the Avi Root CA into NSX Manager

curl --request POST \
--url 'https://<nsx-mgr-ip>/policy/api/v1/trust-management/certificates/<cert_name>?action=import_trusted_ca' \ --header 'Content-Type: application/json' \ --data '{  "pem_encoded": "-----BEGIN CERTIFICATE-----\n<root_cert_content>\n-----END CERTIFICATE-----" }'

Where:

  • <cert_name> — desired certificate object name in NSX
  • <root_cert> — PEM-encoded Avi root CA content

Step 3 — Clean Up Stale Avi Accounts if present else skip this step:

On the Avi Controller, delete the following users from the (Administration>Users)
  (created by the previous failed onboarding attempt):

  • nsxt-alb
  • nsxt-ako


Step 4 — Re-Register Avi Controller via Onboarding API 

curl -k -u admin --location --request PUT \
'https://<nsx_mgr_ip>/policy/api/v1/infra/alb-onboarding-workflow' \
--header 'X-Allow-Overwrite: True' \
--header 'Content-Type: application/json' \
--data-raw '{
  "owned_by": "LCM",
  "cluster_ip": "<cluster_ip>",
  "infra_admin_username": "<username>",
  "infra_admin_password": "<password>",
  "dns_servers": ["<dns-server-ip>"],
  "ntp_servers": ["<ntp-server-ip>"],
  "default_cert": false
}'

Once the API is executed, it will prompt for the NSX Manager password.

 

Verification

Confirm the registration status:

 
curl -k -u 'admin:<nsxpassword>' --location --request GET \
https://<nsx-mgr-ip>/policy/api/v1/infra/sites/default/enforcement-points/alb-endpoint

 

A successful onboarding returns:

status: DEACTIVATE_PROVIDER

The same state can also be verified from the NSX App Switcher UI. This confirms the onboarding workflow has completed and the Avi provider is registered with NSX Manager.

Powered by Wolken Software