Alarms Indicating CBM Certificates Have Expired or Are Expiring Prevent NSX Manager Upgrades

search cancel

Alarms Indicating CBM Certificates Have Expired or Are Expiring Prevent NSX Manager Upgrades

book

Article ID: 324175

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

The environment runs NSX 4.1.0.2 or above, and was upgraded from NSX-T 3.2.x.
NSX Alarms indicate certificates are expired or about to expire.
The expiring certificates contain "Corfu Client" in their name.
Error may also appear during an upgrade such as below where the ID matches to a CBM certificate:

The certificate with id ########-####-####-####-############ failed to parse with error: null. Please delete (if unused) or replace this certificate prior to upgrading. Refer to KB article https://knowledge.broadcom.com/external/article/324175/

Environment

VMware NSX-T Data Center
VMware NSX

Cause

NSX Managers have many certificates for internal services, in NSX-T 3.2.x, Cluster Boot Manager (CBM) service certificates were incorrectly given a validity period of 825 days instead of 100 years.
This was corrected to 100 years in NSX-T 3.2.3 and NSX 4.1.0.
However, any environment previously running NSX-T 3.2.x (below 3.2.3) will have internal CBM Corfu certificates expiring after 825 regardless of upgrade to the fixed version or not.
While there is no immediate functional impact when an internal CBM certificate expires, alarms will trigger and prechecks will block an upgrade.

Resolution

The CARR script can be used to resolve this issue. See Using Certificate Analyzer Resolver (CARR) Script to fix certificate related issues in NSX.

Additional Information

K8S_MSG_CLIENT certificates can not be deleted after NAPP undeployment, causing expired certificate alarm

Feedback

thumb_up Yes

thumb_down No