Hello,
We have a very peculiar problem with SSL certificate update.
After replacing "Machine SSL certificate with Custom Certificate" with /usr/lib/vmware-vmca/bin/certificate-manager
NSX Manager 6.3.3 can no longer connect to VCSA
Error message in NSX Manager log is:
2017-08-18 08:47:35.472 GMT INFO ViInventoryThread ViInventory:442 - Inventory cannot connect to VC because:Error allocating connection to vCenter Server.; nested exception is java.util.concurrent.ExecutionException: com.vmware.vim.vmomi.client.exception.SslException: javax.net.ssl.SSLHandshakeException: com.vmware.vim.vmomi.client.exception.VlsiCertificateException: Server certificate chain is not trusted and thumbprint doesn't match
2017-08-18 08:47:35.475 GMT INFO ViInventoryThread ViInventory:447 - Inventory cannot connect to VC because:com.vmware.vshield.vsm.vcserver.VcConnectionNotAvailableException: core-services:500:vCenter Connection is not available.:com.vmware.vim.vmomi.client.exception.SslException: javax.net.ssl.SSLHandshakeException: com.vmware.vim.vmomi.client.exception.VlsiCertificateException: Server certificate chain is not trusted and thumbprint doesn't match
The below did NOT help:
Resetting certificates and adding Custom again does not work due to a bug: "Previous MACHINE_SSL_CERT Subject Alternative Name does not match new MACHINE_SSL_CERTIFICATE Subje...
Any ideas ?
So if my understanding is correct,cert replacement was done only on VCSA ? By any chance PSC connectivity(If it is external) is also impacted after cert replacement ? How did you generate VCSA certificate 1)IP 2)FQDN ?
Based on one of the option- you should try updating correct IP/FQDN once again in NSX registration page and give it a try. If this is fresh NSX set-up,better option would be remove the solution and register it back.
VCSA cert is a bought STAR multi domain cert *.domain.com
Replacement was done only on VCSA.
PSC is integrated and is not impacted.
Tried to reconnect NSX Manager multiple times by entering vCenter IP and FQDN however the problem is the same every time.
I am now replacing NSX Manager with a fresh one, to which I can try a backup restore.
Any Ideas ?
vCenter certificate issues when deploying VIO
Here they do it with restarting that appliance, didn't solve it for NSX Manager though.
As long as you can connect to VCSA without any certificate warning ,that confirm cert side is fine. Fresh NSX deploy would be a quicker option.
Yes the fresh NSX Manager connected to the FQDN without issue.
Now figuring out how to resume with the existing config. (backup restore?)
Any luck after restore?