VMware Networking Community
ChristopheNielA
Contributor
Contributor
‎08-16-2023 04:45 AM

NSX 4.1 - error after deploying new appliance after upgrade from v3.2 (to change ip addresses)

Hello

I've upgraded my lab from a NSX-T 3.2 to 4.1
the upgrade worked fine, no issue there, all in the green.

 

I also had a requirement to change the IP addresses/hostname for the lab, and I'm encountering an issue : the REPO_SYNC is failing

I followed the docs using the scenario "A" where you deploy a new manager appliance, add it to the cluster, then remove 1 old appliance (Change the IP Address of an NSX Manager (vmware.com))

 

As the appliance were manually deployed I removed detached them manually, then as soon as I removed the first appliance the REPO_SYNC went "FAILED"

I'm sure I combined multiple problems/actions at the same time :

  • Removing the primary(first) node caused the "repository-ip" to not be changed, the reposync was trying to get the old IP
  • I changed with "set repository-ip" which in turn update the repo url to a  fqdn (of a working node with success)
  • I then realized I need to add the new names of the new nodes in the certificate, so I remade a new certificate using a procedure I followed for v3
  • I found an error message that gave me a hint in the nsxapi.log :

.... RepoSyncFileHelper ... errorMessage=Unexpected ASN.1 length at position 2

My problem was exactly as descibed as in this article : Upgrading or deploying an VMware NSX Edge node or Manager appliance from NSX-T manager UI fails: no ...

but a slight different symptom but contrary to the article, the issue did appear even using the manual OVF installation.

 

I finally found what the problem was : I had followed a guide on how to setup certificate signed by an AD CA as this nice article was explaining : vGarethLewis - Replacing the VMware NSX-T Self-Signed SSL Certificate

I guess this is now an obsolete guide, do not mix IP SANs and DNS SANs, that's what broke my deployment.

 

I re-read the documentations from 2.5 to 4.1 on "replace certificate", and no where is it mentionned to use IP addresses in the SAN, the documentation talks about host and vip, but does not say "IP" or "FQDN" (nor the word SAN/ASN for that matter).
Following the guide from Gareth Lewis, it was working for v3.x and you would see ip addresses being used in the logs, so I guess it was ok in v3

But Given that the "set repository-ip" registered the fqdn, I'm guessing using DNS and not IP is the right thing to do, this is pure speculation but it's not really explicit in the documentation
(everything I was configuring was setup in a DNS and with reverse record, maybe that's how the appliance found its hostname when I used set repository-ip)
what I would advise after upgrading from 3 to 4, based on  what I experienced on my lab

  • ensure all dns records (A and PTR) are up to date
  • regenerate a new certificate with DNS name only
  • install the new certificate
  • (possibly refresh anything that uses nsx api externally)
  • run set repository-ip
  • run a repo_sync from api 


anyway, I could finish my operation to move name/ip, made a new certificate only with the 3 nodes/1 vip, made a refresh on vcloud with the new url/certificate and it was ok, and I will check if there are more issues but thanks god this is a lab environment

i'll stop ranting and speculating now, I hope it helps someone, or maybe it was a mistake to use DNS entries for NSX-T from the start?

Tags (1)
Reply
0 Kudos
2 Replies
Stephan_Zur
Contributor
Contributor
‎10-16-2023 11:53 AM

Hi Christophe,

Thanks for this article. I think i just stumbled across the same issue. Followed vGarethLewis article for certificate setup on NSX 4.1.0.0 installation. Now trying to upgrade to version 4.1.1 I get the same issue.

Can you please let me know how created the CSR in NSX 4.1 to make it work? Did you just removed the IP's from the CSR like this?

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
 
[ req_distinguished_name ]
countryName = GB
stateOrProvinceName = Wales
localityName = Cardiff
organizationName = vGarethLewis
organizationalUnitName = IT
commonName = nsx.vgarethlewis.com
 
[ req_ext ]
subjectAltName = @alt_names
 
[alt_names]
DNS.1 = nsx.vgarethlewis.com
DNS.2 = nsx-01.vgarethlewis.com
DNS.3 = nsx-02.vgarethlewis.com
DNS.4 = nsx-03.vgarethlewis.com
 
 
Thanks for help.
Stephan
Reply
0 Kudos
ChristopheNielA
Contributor
Contributor
‎11-10-2023 08:36 AM

Hello

sorry for the late reply, (blame junk mail filter... didn't see the notification)

for your question yes , I did exactly that, with my .local domain name, I just kept the DNS.1-4 entries.

I should have put the full config file in my post.

 

Hope that helped.

 

Christophe

 

Reply
0 Kudos