"Certificate delete failed: Certificate cannot be deleted because it is used by 1 MP node(s)" error when deleting an NSX-T certificate
search cancel

"Certificate delete failed: Certificate cannot be deleted because it is used by 1 MP node(s)" error when deleting an NSX-T certificate

book

Article ID: 319133

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Deleting an NSX-T certificate fails.
  • You see the following error:

    Certificate delete failed: Certificate cannot be deleted because it is used by 1 MP node(s).

         
 

  • The GET/api/v1/trust-management/certificates/{cert-id} REST API displays the certificate is used by a node similar to:

    {
      "pem_encoded" : "-----BEGIN CERTIFICATE-----
    (output ommited)
    -----END CERTIFICATE-----",
      "used_by" : [ {
        "node_id" : "74af0842-d9f9-####-####-###########",       <--- node using the certificate
      "id" : "04106cfd-0c23-####-####-###########",       <--- certificate ID
      "display_name" : "mp-cluster certificate for node nsx-mngr-01.corp.local",
      "tags" : [ ],
      "_create_user" : "system",
      "_create_time" : 1563623896904,
      "_last_modified_user" : "system",
      "_last_modified_time" : 1563623896959,
      "_system_owned" : false,
      "_protection" : "NOT_PROTECTED",
      "_revision" : 2
    }

    Note: {cert-id} can be obtained from the NSX-T UI in System > Certificates.
     
  • The GET /api/v1/cluster/nodes/{node-id} REST API confirms the node is not using the certificate:

    Note: {node-id} can be obtained from the above certificate API.

Environment

VMware NSX-T Data Center 3.x
VMware NSX 4.x

Cause

This issue occurs because the NSX Manager does not release the certificate automatically.
This behavior is a workflow error, if there is a reference object mapped to the certificate, deletion of certificate will not be feasible.

Resolution

If you believe you have encountered this issue, please open a support case with Broadcom Support and refer to this KB article.

For more information, see Creating and managing Broadcom support cases.

Additional Information

If you are contacting Broadcom support about this issue, in order to aid a timely response and resolution, please provide the following:

  • Logs for the manager the certificate is attached, if the manager no longer exists, another manager from the cluster.
  • If known, type of Certificate, self signed, CA signed, PI certificate, service or platform certificate.
  • Error message observed, text and screenshot.
  • Results from the following API calls:
    • GET /api/v1/cluster/nodes/{node-id}
    • GET/api/v1/trust-management/certificates/{cert-id}

Handling Log Bundles for offline review with Broadcom support:

Powered by Wolken Software