Replacing cluster certificate or node certificate on NSX Unified Appliance
search cancel

Replacing cluster certificate or node certificate on NSX Unified Appliance

book

Article ID: 327370

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

Symptoms:
When using CA signed certificates on NSX Unified appliance AND certificate not being a full chain, including Root, Intermediate and leaf certificate. Post installation, you experience these symptoms:
  • Deploying NSX Intelligence appliance fails.
  • While accessing NSX Intelligence from Discover & Take Action page in Plan & Troubleshoot tab in NSX-T Datacenter using CA signed certificates, you see this error similar to:

    The application server is unable to fulfill your request due to insufficient privileges. You do not have the privileges to access NSX Intelligence. (403 Forbidden)
     
  • In the /var/log/pace/token-registration.log file of the NSX Intelligence appliance, you see entries similar to:

    "ERROR: PACE Invalid cluster certificate used. Please use self-signed cert or upload FULL chain of CA signed cert including ROOT authority public cert!!'"


Environment

VMware NSX-T Data Center
VMware NSX-T Data Center 2.5.x

Cause

This issue may occur due to these reasons:
  1. The cluster certificate is a partial chain (including Intermediate and leaf certificate), but not the Root CA certificate.
  2. Certificate pem_encoded field contains extra Bag Attributes. (For example, non-base64 characters).
  3. There is a time drift between NSX UA and NSX Intelligence appliance. This may happen if you are using different NTP servers or no NTP servers.

Resolution

This is a known issue in how chain certificate export is done at the Certificate Authority (CA). It affects all releases of NSX-T Data Center and NSX Intelligence.

Currently, there is no resolution.

Workaround:
To work around this issue:

Note: All workaround steps require that the unsuccessfully deployed NSX Intelligence appliance is deleted.

For the cluster certificate that is a partial chain (including Intermediate and leaf certificate), but not the Root CA certificate

  1. Export your CA signed certificate as a full chain. This includes root, Intermediate and leaf certificate.
  2. Import and set the CA signed full certificate chain as your cluster certificate. For more information, see the Replace the Certificate for an NSX Manager Node or an NSX Manager Cluster Virtual IP section of the NSX Data Center Administration Guide.
  3. Delete the old partial certificate that was uploaded.

For the cause of Certificate pem_encoded field containing extra Bag Attributes (For example, non-base64 characters)

  1. Identify the certificates on NSX Unified Appliance which contain BagAttributes or non-base64 characters.
  2. Follow steps in NSX-T Intelligence deployment stuck at message "The NSX Intelligence appliance deployment is in progress" (78048).
  3. Upload the same certificates as new certs without the extra attributes/characters and only containing the actual cert starting and ending with:

    -----BEGIN CERTIFICATE----- 
    .
    .
    -----END CERTIFICATE-----
     
  4. Set the newly uploaded cert as node certificate or cluster certificate, as appropriate. For more information, see the Replace the Certificate for an NSX Manager Node or an NSX Manager Cluster Virtual IP section of the NSX-T Data Center Administration Guide.
  5. Delete the old certificates with extra attributes/characters.
  6. Redeploy NSX Intelligence appliance.

For the cause of a time drift between NSX UA and NSX Intelligence appliance

  1. Delete the NSX Intelligence appliance.
  2. Redeploy NSX Intelligence appliance.
    • As part of config provided during deployment, set NTP Servers to match the same servers as the ones configured on NSX UA.


Powered by Wolken Software