Connecting NSX for Multi-Hypervisor re-installed NSX Controller fails (2077288)
If the Controllers are reinstalled or reinitialized, the transport nodes will no longer communicate with the Controller Cluster due to the certificate change on the Controllers.
Note: If you restore Controller Cluster state from a snapshot, or if you reinstall one Controller and rejoin it to the cluster, then this issue does not arise because the original Controller certificate is retained.
Solution for Hypervisors:
The certificate from the Controller must be updated manually on the Hypervisor after the re-installation or reinitialization of the Controller node.
To renew the Controller certificate on the Hypervisor:
- From the hypervisor console, remove the existing Controller certificate:
# mv /etc/openvswitch/vswitchd.cacert /etc/openvswitch/vswitchd.cacert.bak
Note: You may keep this as a backup, if required.
- Restart Open vSwitch:
# /etc/init.d/openvswitch restart
Solution for Gateways and Service Nodes:
The certificate from the Controller must be updated manually on each Service Node and NSX Gateway after the re-installation or re-initialization of the Controller node.
To renew the Controller certificate on the transport node:
- From the transport node CLI, disconnect this transport node from the Controller cluster:
# clear switch managers
- Clear the Controller certificate:
# clear switch manager-certificate
- Reconnect the transport node to the Controller Cluster:
# add switch manager <ip_address_of_Controller>
This causes the transport node to get a new copy of the Controller certificate from the Controller.
To be alerted when this article is updated, click Subscribe to Document in the Actions box.