After you deploy NSX Application Platform, you can change your expired proxy certificate or replace an existing proxy certificate with a new one.

Prerequisites

  • Verify that you have a NSX Application Platform deployment with a private Harbor certificate. See Run the NSX Application Platform Automation Appliance Deployment Wizard.
  • Make sure to add the new proxy server self-signed certificate in NSX for HTTPS proxy. See the Replace Certificates topic in the Certificates section of the NSX Administration Guide, which is delivered with the VMware NSX Documentation set.
  • Ensure that the proxy settings are updated with the new certificate. See the Configure Proxy Settings topic in the Operations and Management section of the NSX Administration Guide, which is delivered with the VMware NSX Documentation set.

Procedure

  1. Verify that the NSX Application Platform proxy server settings are updated.
    1. Log in to the NSX Manager CLI as a root user.
    2. Check the proxy server configuration in the secrets file.
      napp-k get secrets platform-proxies --template={{.data.proxies}} | base64 --decode
      
      Example output -
      {
          "hostName": "proxy.nsbucqesystem.net",
          "port": 3129,
          "userName": "admin",
          "password": "<password>",
          "scheme": "https",
          "certificate": "-----BEGIN CERTIFICATE-----\nMIIGYTCCBEmgAwIBAgIUTTeT/2aHozy1mO+Djh9xW3DOcuQwDQYJKoZIhvcNAQEL\nBQAwajEgMB4GA1UEAwwXcHJveHkubnNidWNxZXN5c3RlbS5uZXQxCzAJBgNVBAYT\nAklOMQswCQYDVQQIDAJNSDENMAsGA1UEBwwEUHVuZTEPMA0GA1UECgwGVk13YXJl\nMQwwCgYDVQQLDANBTlMwHhcNMjQwMjE0MTAzODQwWhcNMjYwMjEzMTAzODQwWjBq\nMSAwHgYDVQQDDBdwcm94eS5uc2J1Y3Flc3lzdGVtLm5ldDELMAkGA1UEBhMCSU4x\nCzAJBgNVBAgMAk1IMQ0wCwYDVQQHDARQdW5lMQ8wDQYDVQQKDAZWTXdhcmUxDDAK\nBgNVBAsMA0FOUzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKRBi1pn\ndQQVpt/M3IF6XbynK+7/tLoACnLheUHn9H+AD+t5H9uBoJj7B4CDMSERVUQJnwNF\nvjl/rYA8FqWHWZ4FKXkcUiL3Oev0gbkynJPIDgCoY0rNHBkQn4dAqsWIw0tfbEfG\n2OX19XOQDHZIiOxxxyhy0TLlVTUdWSPd3zNxt8tCNM+A/qTHgNIflhn84llhrUtR\nnnQw0phrlIzLmbF464zp4LyIpV6kxXdoKZD6ou7uTHn16zbhtSVqDECMAmbrRKXR\nq2eu/lMdEmHOGYbIiR4GjeV0iDewkgGvdRj4PouIeGO9NHDAEo5O6QVRxv6Oss3V\nSzr4SWbp1Z2P4NLbS0Be3LowP2+dnkouhFjYUNwnM52XIhrFu8fY6rZo/xEdq9Gp\nUX8C60OYUGD0f6xGpdPVacLBijgZLsSJZxqzUVb9QRhL8xQPLu1qzALbZoX1G9Nb\nvZKPEUnUifZGZy2ORVTTpYX4cHHCmB005eo3ywG7NkmWm8q/IJtXCKViIqZ3Wafh\n6z1o3xvswUn79KOW2HZQf+3JqAm+IS13afsExu7uixvSK/uEVF7ClfM/uE+tWFvY\nYEjZpZlgQBf35WIhPShQo88ajZEG3dKNZkSrKgFDpIWpYWKc49oQqol8sz9pYs+J\n0kh1/e7eRlaOqwPGzlP1nrI/WN/LLjwRZQXFAgMBAAGjgf4wgfswgZEGA1UdIwSB\niTCBhqFupGwwajEgMB4GA1UEAwwXcHJveHkubnNidWNxZXN5c3RlbS5uZXQxCzAJ\nBgNVBAYTAklOMQswCQYDVQQIDAJNSDENMAsGA1UEBwwEUHVuZTEPMA0GA1UECgwG\nVk13YXJlMQwwCgYDVQQLDANBTlOCFE03k/9mh6M8tZjvg44fcVtwznLkMAkGA1Ud\nEwQCMAAwCwYDVR0PBAQDAgTwMC4GA1UdEQQnMCWCF3Byb3h5Lm5zYnVjcWVzeXN0\nZW0ubmV0hwQUFAAHhwQKrE7ZMB0GA1UdDgQWBBS3eoRDmK0pJW0APVuAsDg2GMvI\nnTANBgkqhkiG9w0BAQsFAAOCAgEAn5Xz/HU+n9oc6I3A01Y3/XgAgXjQRORg7U3z\nm4nAd/tKQ0Ypo7HqIhJO3uP6U7RQ2NMGYhhdgjY9jHQbmKLqoTLIkiQULd8tZ3Oy\nE3KLhzq7BNtMvKmqhJM8eVdUYB6DuLn01zJo+gDjjNeoC6ZNegqdQgucN91p4IFE\ndZPbYmmKZVsVIqTd25+E6WyhivmG6mnwFV3vkrto82Joc1KMFPeXEUNcFliyrTOn\nD6t1VfodWfqClp0m7XWmD7A2OotfKKFKJQ2f8fV1TQcPAIrA5bVsC1EqowFv0SJT\nhh72ATio8nnltUOukcCDBSVjgNDqqI0Qr7tlTqrngdiCjsyYLIX2vOfMhY/USyud\nlpfwJuBMWlFTapoP8cMRsv/fm7chIFF4oIajH49O8DMkBeH1/uOY74mtiK7OGQpf\nmBvnKuCVqqo9rPaAumyxBRB5mHi7zoWCPTBywCMMnPqhmwMXi2xX+uVxic+GbNof\nGP/UyB0kt/S5bvR0fQSWUGEMg1+4LdKgRpuJx9+YfcCP/expLQaBtpgDVWtzKTQR\nVmi1DdIfomZNVi0UJsU9jsOXNW702nm2sfayLhz2xHzA8ysy5k08/krZuOT2H5bQ\n9tCSeFnmmkTjMTPlWgb6iY2SUF0YAK8lO3Q0OJ7XQTOUhIfi4Ea97aB3prFLk7Aq\npadO6SE\u003d\n-----END CERTIFICATE-----",
          "opType": "UPDATE"
      }
    3. Check the proxy server configuration in the cluster-api pod.
      root@nsx-mgr-1:~# napp-k get pods | grep cluster-api
      cluster-api-868c49c755-8ps7t                                      2/2     Running     4 (20h ago)   20h
      
      Command : napp-k exec -it <cluster-api-pod-name> -c cluster-api cat /config/proxy-config.json
      
      Example - napp-k exec -it cluster-api-868c49c755-8ps7t -c cluster-api cat /config/proxy-config.json
      
      kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
      {"hostName":"proxy.nsbucqesystem.net","port":3130,"userName":"admin","password":"<password>","scheme":"https","certificate":"-----BEGIN CERTIFICATE-----\nMIIDNTCCAh2gAwIBAgIULG9b6RafAj7qEPOo1j3puz9d1xYwDQYJKoZIhvcNAQEL\nBQAwKDESMBAGA1UEAwwJbWl0bXByb3h5MRIwEAYDVQQKDAltaXRtcHJveHkwHhcN\nMjQwMjEzMDkwNDQ1WhcNMzQwMjEyMDkwNDQ1WjAoMRIwEAYDVQQDDAltaXRtcHJv\neHkxEjAQBgNVBAoMCW1pdG1wcm94eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC\nAQoCggEBAN8OrW/Wn7wPJ6z3pc0XAwA0kRA2rtntOX/BQ7vReqMRxEjP3PJpT6kB\nXtUXyjWNBHcZOADD6IrgvaT0WdIzDAhDdQuILKh7iuBPGb3aVT/B6l8W+AI3nP6u\nEKVqnvxyXoPzg8dM/muhfHw1JMdu61g/T8407WwEx0OrwH5TxKD+rkWC7TDbtB+h\n1RdXAuGvTJ4G6oIqnSNJIF8vM2LQIpumTR9R6xr5ure6xEwZizd/boG2StU5xuQV\nvpWtJKRbii+N8kLOulYQpqAeST8sJTJaW4YeNxnl77IdTX7EGp+b+8IvkmG1jrwp\nM3ucTgnaYK9AyMwEGYRp6UPZNkISe28CAwEAAaNXMFUwDwYDVR0TAQH/BAUwAwEB\n/zATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE\nFI7m8W4RR2fFKDTSauqa4keaoXYmMA0GCSqGSIb3DQEBCwUAA4IBAQDLwx3rWCER\nevq5W1lTWzUU3P/6p0DgTCS1gpd4mGvvOi5xmlt3D4VC9KT3ytEMwoRwXASM6WUb\n+lcXGrkExnVOH2AQ/A+2fElFBwxtd4A+EjJAVIBYrgdNbGm8kQ9qEnd0IEA08nYh\n5qOvRlsog4+eiyOtoOz9a4csn0Lpl9UNv9SpGuBjVpmrWD6L0D6qS+vWQtLo0sPX\n2msbRkPy1l5rgp5CNadlB0CGM9B3bdr5y2D89ZO//2YzIaypV6/6eJeURwi5nwmn\npn6i9H62wCdPgyCNJuTiQwxW0WLAnnRWHTV4g58M0Ze644ndLtB06evzX+qe+Znh\nx91Kh6I8Jam6\n-----END CERTIFICATE-----","opType":"UPDATE"}
      
  2. Cordon the existing Kubernetes worker nodes to change the private harbor certificate in the Kubernetes guest cluster.
    1. Log in to the NSX Manager CLI as a root user.
    2. List the existing Kubernetes worker nodes.
      root@nsx-mgr-0:~# napp-k get nodes
      NAME                                                  STATUS   ROLES           AGE   VERSION
      napp-cluster-default-qrk2r-f8xjc                      Ready    control-plane   19h   v1.26.5+vmware.2-fips.1
      napp-cluster-default-qrk2r-hgtq8                      Ready    control-plane   19h   v1.26.5+vmware.2-fips.1
      napp-cluster-default-qrk2r-kw6kk                      Ready    control-plane   19h   v1.26.5+vmware.2-fips.1
      napp-cluster-default-workers-qljgg-5758975fcb-btzrw   Ready    <none>          19h   v1.26.5+vmware.2-fips.1
      napp-cluster-default-workers-qljgg-5758975fcb-mbpfp   Ready    <none>          19h   v1.26.5+vmware.2-fips.1
      napp-cluster-default-workers-qljgg-5758975fcb-md5wp   Ready    <none>          19h   v1.26.5+vmware.2-fips.1
      napp-cluster-default-workers-qljgg-5758975fcb-pnnr2   Ready    <none>          19h   v1.26.5+vmware.2-fips.1
      napp-cluster-default-workers-qljgg-5758975fcb-wl6h9   Ready    <none>          19h   v1.26.5+vmware.2-fips.1
      
    3. Cordon the Kubernetes worker nodes.
      napp-k cordon <worker-node-1> <worker-node-2> … etc
      
      Example -
      root@nsx-mgr-0:~# napp-k cordon napp-cluster-default-workers-qljgg-5758975fcb-btzrw napp-cluster-default-workers-qljgg-5758975fcb-mbpfp napp-cluster-default-workers-qljgg-5758975fcb-md5wp napp-cluster-default-workers-qljgg-5758975fcb-pnnr2 napp-cluster-default-workers-qljgg-5758975fcb-wl6h9
      node/napp-cluster-default-workers-qljgg-5758975fcb-btzrw cordoned
      node/napp-cluster-default-workers-qljgg-5758975fcb-mbpfp cordoned
      node/napp-cluster-default-workers-qljgg-5758975fcb-md5wp cordoned
      node/napp-cluster-default-workers-qljgg-5758975fcb-pnnr2 cordoned
      node/napp-cluster-default-workers-qljgg-5758975fcb-wl6h9 cordoned
    4. Verify that the Kubernetes worker nodes are cordoned.
       root@nsx-mgr-0:~# napp-k get nodes
      NAME                                                  STATUS                     ROLES           AGE   VERSION
      napp-cluster-default-qrk2r-f8xjc                      Ready                      control-plane   19h   v1.26.5+vmware.2-fips.1
      napp-cluster-default-qrk2r-hgtq8                      Ready                      control-plane   19h   v1.26.5+vmware.2-fips.1
      napp-cluster-default-qrk2r-kw6kk                      Ready                      control-plane   19h   v1.26.5+vmware.2-fips.1
      napp-cluster-default-workers-qljgg-5758975fcb-btzrw   Ready,SchedulingDisabled   <none>          19h   v1.26.5+vmware.2-fips.1
      napp-cluster-default-workers-qljgg-5758975fcb-mbpfp   Ready,SchedulingDisabled   <none>          19h   v1.26.5+vmware.2-fips.1
      napp-cluster-default-workers-qljgg-5758975fcb-md5wp   Ready,SchedulingDisabled   <none>          19h   v1.26.5+vmware.2-fips.1
      napp-cluster-default-workers-qljgg-5758975fcb-pnnr2   Ready,SchedulingDisabled   <none>          19h   v1.26.5+vmware.2-fips.1
      napp-cluster-default-workers-qljgg-5758975fcb-wl6h9   Ready,SchedulingDisabled   <none>          19h   v1.26.5+vmware.2-fips.1
  3. Change the certificate in the Tanzu Kubernetes guest cluster.
    1. Log in to the Workload Control Plane Supervisor cluster CLI.
    2. List the Kubernetes guest cluster.
      kubectl get tkc -A
      NAMESPACE         NAME                   CONTROL PLANE   WORKER   TKR NAME                          AGE     READY   TKR COMPATIBLE   UPDATES AVAILABLE
      napp-ns-default   napp-cluster-default   3               5        v1.26.5---vmware.2-fips.1-tkg.1   3h36m   True    True
    3. List the Kubernetes guest cluster across all namespaces.
      kubectl get tkc <tkc-name> -n <namespace>
      
      #Example - 
      kubectl get tkc napp-cluster-default -n napp-ns-default
      NAME                   CONTROL PLANE   WORKER   TKR NAME                          AGE     READY   TKR COMPATIBLE   UPDATES AVAILABLE
      napp-cluster-default   3               5        v1.26.5---vmware.2-fips.1-tkg.1   3h36m   True    True
      
    4. Replace the old Tanzu Kubernetes guest cluster proxy certificate with the new certificate.
      kubectl edit tkc <tkc-name> -n <namespace>
      
      spec:
        distribution:
          fullVersion: v1.26.5+vmware.2-fips.1-tkg.1
          version: ""
        settings:
          network:
            cni:
              name: antrea
            pods:
              cidrBlocks:
              - 192.168.0.0/16
            serviceDomain: cluster.local
            services:
              cidrBlocks:
              - 10.96.0.0/12
            proxy:
              httpProxy: https://admin:<password>@20.20.210.199:3128 ——> Edit proxy username, password, IP or port number if required
              httpsProxy: https://admin:<password>@20.20.210.199:3128 ——> Edit proxy username, password, IP or port number if required
            trust:
              additionalTrustedCAs:
              - data: <old_certificate_in_base_64_encoded_format>       ---> remove old cert if HTTPS proxy is being used 
                name: old-proxy-cert                                   ---> remove old cert name if HTTPS proxy is being used 
              - data: <new_certificate_in_base_64_encoded_format>       ---> add new cert in base 64 encoded format if HTTPS proxy is being used 
                name: new-proxy-cert                                   ---> add new cert name if HTTPS proxy is being used 
      
      Note: Use different certificate name for new proxy certificate in TKC config
      
      new_certificate_in_base_64_encoded_format example -
      
      LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdZVENDQkVtZ0F3SUJBZ0lVWlJIVzJ6bDZ2NlVVbmY3a2pQdEVwTnFLWWhvd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2FqRWdNQjRHQTFVRUF3d1hjSEp2ZUhrdWJuTmlkV054WlhONWMzUmxiUzV1WlhReEN6QUpCZ05WQkFZVApBa2xPTVFzd0NRWURWUVFJREFKTlNERU5NQXNHQTFVRUJ3d0VVSFZ1WlRFUE1BMEdBMVVFQ2d3R1ZrMTNZWEpsCk1Rd3dDZ1lEVlFRTERBTkJUbE13SGhjTk1qUXdOekV4TURZeU5qTTRXaGNOTWpZd056RXhNRFl5TmpNNFdqQnEKTVNBd0hnWURWUVFEREJkd2NtOTRlUzV1YzJKMVkzRmxjM2x6ZEdWdExtNWxkREVMTUFrR0ExVUVCaE1DU1U0eApDekFKQmdOVkJBZ01BazFJTVEwd0N3WURWUVFIREFSUWRXNWxNUTh3RFFZRFZRUUtEQVpXVFhkaGNtVXhEREFLCkJnTlZCQXNNQTBGT1V6Q0NBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQU1Kd1FBeVoKaDRqdzR2TWpra05LS0dtTE5YWCtqUlJnVjFjRFFlQnpieEhLQVV6azJmdzA3bHlJa3VQWkFob0hoSlphT3R2SAozMkZUZ3lZT0tIcHJKTHBvalZIanIrQndmRlBLcW9GeGxSL3I5QnVvQW9RdU1pSFdHOFVxdW13WlJocHdBQTRjCkZQRjJSVHFEbnBrK09uSlovcUdHK3Z2aXhzcEUzaWxWcVJ2WUJrVEVmMHRBdFFkazM2aEk3VXBMekthUHpGbnkKa1llUVFiKzlqYkEvSVNiUVFtWDlSVWZVVEZEczY5OVF4M3Vob216THFpaThjQUo4SHNUQndJQmRkSldIV1cxRApCUk9sUmhad1kwdDlhSDdYYk5LV2Y4eGJwVVhPZUtzaUZUc25rTHI5dWJwU09XSHErWmtpK3h5VVVES3hDUFNIClFaRlMvbVdsKyt2K29La1MvVDE4NllQNnoxVFhpSzFQNm42R0l5UThrS1VzS3U2RURxS1dLRDR2Z2RxaytLSXYKUHRnbjFyMzVJdGt0V2UrV0hnMEY0SVhWUnNVQUt2bUtQMSs4d216VTVjNFhUVDJCcEp6MVZBdnZiR3l4WTRDOAp0WEN5b2JPOVBnZFFjN2NORlBiaktIRUVXZTdXcloyVG1ocGtpbDlCeTJxU3N5VUsvNEN2eFozYjh1QjZ1YzJ3CkN5Mm9YZ0JUM2pHTUFqN1lkbzVPNUhyK1dqUDZsN3JhV3JvQk0rRVZDcUFLSmlPdTdTdTRhbkI2Tmo3OWp4MzgKZ1dQTVhJdVlDTjAzbWpkOGtReWhibmVnVFNra1NkUGV0bFgwV2Q5YkxWU2NLRDFQd2sreWxpcExzdXBRdmd4dAoxUEViZ25LRm5kQ1YySThtWG1kaGJtME43OFBrWXE1V0tIVlpBZ01CQUFHamdmNHdnZnN3Z1pFR0ExVWRJd1NCCmlUQ0JocUZ1cEd3d2FqRWdNQjRHQTFVRUF3d1hjSEp2ZUhrdWJuTmlkV054WlhONWMzUmxiUzV1WlhReEN6QUoKQmdOVkJBWVRBa2xPTVFzd0NRWURWUVFJREFKTlNERU5NQXNHQTFVRUJ3d0VVSFZ1WlRFUE1BMEdBMVVFQ2d3RwpWazEzWVhKbE1Rd3dDZ1lEVlFRTERBTkJUbE9DRkdVUjF0czVlcitsRkozKzVJejdSS1RhaW1JYU1Ba0dBMVVkCkV3UUNNQUF3Q3dZRFZSMFBCQVFEQWdUd01DNEdBMVVkRVFRbk1DV0hCQlFVQUFlSEJBcXNUdG1DRjNCeWIzaDUKTG01elluVmpjV1Z6ZVhOMFpXMHVibVYwTUIwR0ExVWREZ1FXQkJRK3pBa2s3MHNqM3FnWFJmcFNOZ0lIMkpWeApuREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBZ0VBTGJnTDFENSsyU2lBVFZBb0Nrckt4bkR1R09hV1RTbXVYSFlBCjRhU3gzaTlDcVBYQVN4QnV1dmx3YWRGZW44aHdxbTA5b2xuNER2bVVlbDk2YnQvRGg1VzZ6WGRKQ3cvSXlTSy8KM3VMa1NkQU5ORnNkUHIvRU9meTRncFQxUG5KMDdrdVBVdkUxK0Jwejc3VVMwWFpON3AwUTd1Y2xWRVhXREhpMAo0eUJOOFByKzQ0NktEZ005VktYYTZCM0dVVFBXOXQ5QTlHc2JZTXJsTkFwWjVPYVNodzhGY1dGdkJlYmZhT0JQCmpmVlh3RWl5WmU1UFd0OTRPVDRGVE9KUjYrQzVQUHlaQnRhRnFJbURLell2ZVJDaVlOSGJ6WWV0ZlFkVkd6VHcKbyt4em9NNFg4UEZ2TnI2UWFCM1FlOHdTeVVZSWs5cUtqNmJrakFsYXVNQi85d0dWdTBIK0NkV1FXR0YvS3ZjdgpldHNMSVB4Yk5EQTQvUlB5WmJPajZ6dXJsVEJ3anpQdUMzSnJCZGxWUE5EaEtzSWpTaDYzYUI3a1FLRTE5ZnpKCkU3SkV3ZDA0cUd1VUI3T0pHNGcyaTU4NytEV0FNZTZPak53aWFoRHpIMUtMZTlXN1VCSEhCbFIwdmpWL0Z3bmUKdmp4bVZYRkV0RnZQVXUzc0tZVHZ6RHVuZVBrZkx3UUsvd1Fna2orRkdnQXVXOEVEd1lGK2dPaHFjM1d4eHcwSwpWOTI1R0FKNVp3VDZnUlJPdmxGWXZ1T3RPaVBobHlsNDlhUDJkWWxaTFZyUXoxaGtJcE4wU3ZJNUQ4NENsTCt3Cm8xMnRJcC9mR3Z1dW9ycE50UEU3STZhUzV0QXJaL2ZqVW1yNDV5T2tZdlAyQUluTWVwYjRNME1hZDByNVFHQVEKVnNrOW5aQT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
      
    5. Provision a new set of Kubernetes control and worker nodes with new Harbor certificate.
      kubectl get machinesets -A
      NAMESPACE         NAME                                            CLUSTER                REPLICAS   READY   AVAILABLE   AGE     VERSION
      napp-ns-default   napp-cluster-default-workers-gw6dj-649cb95985   napp-cluster-default   1                              35s     v1.26.5+vmware.2-fips.1
      napp-ns-default   napp-cluster-default-workers-gw6dj-747c99665f   napp-cluster-default   5          5       5           3h40m   v1.26.5+vmware.2-fips.1