I have a new deployment of NSX 6.3.5. I cannot deploy any NSX controllers the OVA deployment shows the following error..
Operation failed on VC. For more details, refer to the rootCauseString or the VC logs
NSX Manager controller log shows the following...
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Server Certificate's thumbprint:CC:62:42:E1:9A:E0:40:E6:0A:67:C1:E9:12:FF:8C:A2:47:1D:B0:CFdoesn't match any of the Registered thumbprint Set:[06:26:65:80:AA:65:A7:83:C4:0C:C0:22:CB:45:1E:07:CD:02:BC:41]
... 20 more
Important things to note...
Spent nearly a day on this and its driving me crazy. Anyone seen this?
Ok, so the fix. This is interesting...
It turned out the SSL cert thumbprints the NSX manager was seeing were the old ESXi host SSL certs which I changed to signed certs a couple of days back. Since then I hadn't rebooted the hosts I had simply restarted hostd and vpxa. A restart still didn't fix the issues. It did do one thing though. A restart of ESXi 6.5U1 deleted the backups I had made in /etc/vmware/ssl/backups. The entire directory had gone! So I couldn't go back to the old certs to fix the issue.
So I simply disconnected the ESXi hosts from vCenter and reconnected them. Problem solved. NSX controllers deployed without issue. vCenter had been rebooted many times but for whatever reason it still though the ESXi hosts were connected with a different thumbprint, which must have been where NSX manager got the thumbprint from. We live and learn!
The fix is disconnect ESXI form VC ----> when you do that password between VC and ESXi is changed and regenerated and NSX manager as informed about his change.
and then NSX manager start using/leverage new password generated between VC and ESXi.