Precheck fails while activating NSX Network Detection and Response.
Problem
The logs of the nsx-ndr-precheck
job contain the following error:
2022-10-04 19:43:44,954 - nsx_api_client.nsx_api_client - ERROR - communication error: HTTPSConnectionPool(host='external-nsx-manager', port=443): Max retries exceeded with url: /api/v1/licenses (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
In these logs, the specific issue manifests with the error string "CERTIFICATE_VERIFY_FAILED"
in the connection to the host "external-nsx-manager"
.
To know more information about how to access these logs, refer step 4 b of NSX Network Detection and Response Activation Precheck Failed.
Cause
The problem occurs because of issues with the certificate setup for the NSX Manager cluster.
Solution
- To resolve the issue, make sure that you have correctly configured the certificates for each node in the NSX Manager cluster and for the cluster itself. Specifically verify:
- Each certificate has a common name that matches the fully qualified domain name it is used for.
- No two certificates use the same common name.
- To verify that the certificate setup is correct, here are the two suggested approaches.
- Using a web browser:
With a web browser, visit each of the NSX Manager nodes individually using their fully qualified domain names, and also visit the cluster domain name. At each of these domains, use the browser tools and view the certificate information and in particular Common Name of the certificate. Confirm that the common name exactly matches the visited domain name in the URL bar of the browser.
- Using the Command Line Tools:
In a shell, for one of the NSX Manager nodes, run the following commands:
- Extract the trusted CA certificate from the Kubernetes platform.
napp-k get secret/nsx-ndr-precheck-ccpchk-nsx-manager-truststore -o jsonpath='{.data.ca\.crt}'| base64 -d > /tmp/ca.crt
The command extracts the trusted certificate authorities from the Kubernetes platform into the /tmp/ca.crt file.- View the
subject
of the trusted certificates.
openssl storeutl -noout -certs --text /tmp/ca.crt |grep "Subject:" Subject: C=US, ST=CA, L=Palo Alto, O=VMware Inc., OU=NSX, CN=k8s-platform-ca Subject: C=US, ST=CA, L=Palo Alto, O=VMware Inc., OU=NSX, CN=vmnsxt-mgmt-p01.example.com Subject: C=US, ST=CA, L=Palo Alto, O=VMware Inc., OU=NSX, CN=vmnsxt-mgmt-p02.example.com Subject: C=US, ST=CA, L=Palo Alto, O=VMware Inc., OU=NSX, CN=vmnsxt-mgmt-p03.example.com Subject: C=US, ST=CA, L=Palo Alto, O=VMware Inc., OU=NSX, CN=vmnsxt-mgmt-p01.example.com
The command parses those certificates and prints out the
subject
of each certificate. The command also includes the common name of the certificate which is after"CN="
in the sample example.Verify that the common names shown are all different and match the expected fully qualified domain names for the nodes of the NSX Manager cluster and for the cluster itself.
In the earlier example, the common name
vmnsxt-mgmt-p01.example.com
occurs twice. The sample setup is configured incorrectly. The fully qualified domain name for the NSX Manager cluster isvmnsxt-mgmt.example.com
, but the certificate uses an incorrect common namevmnsxt-mgmt-p01.example.com
.
- Using a web browser: