This is a known issue in how chain certificate export is done at the Certificate Authority (CA). It affects all releases of NSX-T Data Center and NSX Intelligence.
Currently, there is no resolution.
Workaround:
To work around this issue:
Note: All workaround steps require that the unsuccessfully deployed NSX Intelligence appliance is deleted.
For the cluster certificate that is a partial chain (including Intermediate and leaf certificate), but not the Root CA certificate
- Export your CA signed certificate as a full chain. This includes root, Intermediate and leaf certificate.
- Import and set the CA signed full certificate chain as your cluster certificate. For more information, see the Replace the Certificate for an NSX Manager Node or an NSX Manager Cluster Virtual IP section of the NSX Data Center Administration Guide.
- Delete the old partial certificate that was uploaded.
For the cause of Certificate pem_encoded field containing extra Bag Attributes (For example, non-base64 characters)
- Identify the certificates on NSX Unified Appliance which contain BagAttributes or non-base64 characters.
- Follow steps in NSX-T Intelligence deployment stuck at message "The NSX Intelligence appliance deployment is in progress" (78048).
- Upload the same certificates as new certs without the extra attributes/characters and only containing the actual cert starting and ending with:
-----BEGIN CERTIFICATE-----
.
.
-----END CERTIFICATE-----
- Set the newly uploaded cert as node certificate or cluster certificate, as appropriate. For more information, see the Replace the Certificate for an NSX Manager Node or an NSX Manager Cluster Virtual IP section of the NSX-T Data Center Administration Guide.
- Delete the old certificates with extra attributes/characters.
- Redeploy NSX Intelligence appliance.
For the cause of a time drift between NSX UA and NSX Intelligence appliance
- Delete the NSX Intelligence appliance.
- Redeploy NSX Intelligence appliance.
- As part of config provided during deployment, set NTP Servers to match the same servers as the ones configured on NSX UA.