We have a very peculiar problem with SSL certificate update.
After replacing "Machine SSL certificate with Custom Certificate" with /usr/lib/vmware-vmca/bin/certificate-manager
NSX Manager 6.3.3 can no longer connect to VCSA
Error message in NSX Manager log is:
2017-08-18 08:47:35.472 GMT INFO ViInventoryThread ViInventory:442 - Inventory cannot connect to VC because:Error allocating connection to vCenter Server.; nested exception is java.util.concurrent.ExecutionException: com.vmware.vim.vmomi.client.exception.SslException: javax.net.ssl.SSLHandshakeException: com.vmware.vim.vmomi.client.exception.VlsiCertificateException: Server certificate chain is not trusted and thumbprint doesn't match
2017-08-18 08:47:35.475 GMT INFO ViInventoryThread ViInventory:447 - Inventory cannot connect to VC because:com.vmware.vshield.vsm.vcserver.VcConnectionNotAvailableException: core-services:500:vCenter Connection is not available.:com.vmware.vim.vmomi.client.exception.SslException: javax.net.ssl.SSLHandshakeException: com.vmware.vim.vmomi.client.exception.VlsiCertificateException: Server certificate chain is not trusted and thumbprint doesn't match
The below did NOT help:
Resetting certificates and adding Custom again does not work due to a bug: "Previous MACHINE_SSL_CERT Subject Alternative Name does not match new MACHINE_SSL_CERTIFICATE Subje...
Any ideas ?
So if my understanding is correct,cert replacement was done only on VCSA ? By any chance PSC connectivity(If it is external) is also impacted after cert replacement ? How did you generate VCSA certificate 1)IP 2)FQDN ?
Based on one of the option- you should try updating correct IP/FQDN once again in NSX registration page and give it a try. If this is fresh NSX set-up,better option would be remove the solution and register it back.
VCSA cert is a bought STAR multi domain cert *.domain.com
Replacement was done only on VCSA.
PSC is integrated and is not impacted.
Tried to reconnect NSX Manager multiple times by entering vCenter IP and FQDN however the problem is the same every time.
I am now replacing NSX Manager with a fresh one, to which I can try a backup restore.
Any Ideas ?
As long as you can connect to VCSA without any certificate warning ,that confirm cert side is fine. Fresh NSX deploy would be a quicker option.