Replace NSX-T 3 SSL/TLS Certificates – Common errors
This is the fourth post out of a small series about replacing NSX-T SSL / TLS Certificates:
- Replace NSX-T 3 SSL / TLS Certificates – GUI MethodReplace
- Replace NSX-T 3 SSL / TLS Certificates – Manual Method
- Replace NSX-T 3 SSL / TLS Certificates – Cluster Certificate
- –> Replace NSX-T 3 SSL / TLS Certificates – Common errors
While describing how to replace the NSX-T Manager and Cluster Certs both, through the GUI and manually, I’ve faced a few of errors. Since those error messages are not always entirely clear, I wanted to share some of my findings with you.
1. Certificate validation failed. Reason : Certificate is not compliant as certificate of type SERVER: Basic constraints Extension is not present in the certificate
After running the command to actually change the certificate, you get a message, similar to:
{ "error_code": 36432, "error_message": "Certificate validation failed. Reason : Certificate is not compliant as certificate of type SERVER: Basic constraints Extension is not present in the certificate", "module_name": "node-services" }
This means, that your Certificate does not have the Extension “Basic constraints” available / enabled.
In case of a Windows based Certificate Authority, check your Certificate Template Settings. Make sure you have the extension “Basic Constraints” available and Enabled. In order to have this extension available, your compatibility settings must be Windows Server 2008 R2 (or newer).
2. Certificate validation failed. Reason : Certificate <certificate attributes>: certificate does not verify with supplied key
After running the command to actually change the certificate, you get a message, similar to:
{ "error_code": 36432, "error_message": "Certificate validation failed. Reason : Certificate CN=nsxt-3.vraccoon.lab,OU=Lab,O=vRaccoon Corp,L=Germany,ST=BER,C=DE was not verifiably signed by CN=nsxt-3.vraccoon.lab,OU=Lab,O=vRaccoon Corp,L=Germany,ST=BER,C=DE: certificate does not verify with supplied key", "module_name": "node-services" }
This is a good example of a non-intuitive error description. When you upload the Certificate (not matter whether through the GUI-Method or the Manual-Method) it already checks if the certificate and the key fit together.
If you get this error message after trying to activate the already uploaded certificate, it most likely means, that you haven’t uploaded the complete certificate chain as part of your NSX-T Certificate.
If you upload your certificate file, it must look similar to
—–BEGIN CERTIFICATE—–
NSX-T Manager cert
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
Intermediate CA Cert
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
Root CA Cert
—–END CERTIFICATE—–
3. Certificate validation failed. Reason : Certificate was rejected: CRL check failed: Couldn’t get LDAP context from URI ldap:///<CRL path>”
After running the command to actually change the certificate, you get a message, similar to:
{ "error_code": 36432, "error_message": "Certificate validation failed. Reason : Certificate was rejected: CRL check failed: Couldn't get LDAP context from URI ldap:///CN=vraccoon-DC-CA,CN=dc,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=vraccoon,DC=lab?certificateRevocationList?base?objectClass=cRLDistributionPoint", "module_name": "node-services" }
This is a tricky one. And a known Issue too – check KB78794
With NSX-T 3, VMware has added a check for Certificate Revocation List (CRL). From a security perspective, it’s quite a good move.
To fix this, VMware recommends the use of HTTP CDP based Certificates.
Alternatively, as a workaround, you can also disable the CRL check – run the following command (fill the <> with your information:
curl –insecure -u <user>:<password> -X GET “https://<manager-fqdn>/api/v1/global-configs/SecurityGlobalConfig”
You will get an response, similar to this:
{ "crl_checking_enabled" : true, "ca_signed_only" : false, "resource_type" : "SecurityGlobalConfig", "id" : "750efc5c-42d4-455e-b167-3497ba3ce879", "display_name" : "750efc5c-42d4-455e-b167-3497ba3ce879", "_create_user" : "system", "_create_time" : 1590267915849, "_last_modified_user" : "system", "_last_modified_time" : 1590330655250, "_system_owned" : false, "_protection" : "NOT_PROTECTED", "_revision" : 7 }
You will need lines 2, 3 and 13. Then run the following command (again, customized to your environment):
curl –insecure -u <user>:<password> -X PUT “https://<manager-fqdn>/api/v1/global-configs/SecurityGlobalConfig” -H “Content-Type: application/json” -d ‘{“crl_checking_enabled”:false, “resource_type” : “SecurityGlobalConfig”,”_revision” : <revision number>}’
If it succeeds, you will get the previous output again, but with an incremented revision number and crl_checking_enabled set to false.
4. error, no objects specified in config file
When trying to create the key and csr file with openssl, you’ll get an error similar to:
vraccoon@ubu:/tmp$ openssl req -nodes -newkey rsa:2048 -keyout nsxt-3.key -config nsxt-3.cnf -out nsxt-3.csr Generating a RSA private key ...................................................................+++++ .............................................................................................................................................................+++++ writing new private key to 'nsxt-3.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- DE []: Germany []: BER []: vRaccoon Corp []: LAB []: nsxt-3.vraccoon.lab []: error, no objects specified in config file problems making Certificate Request
I’m not sure where this exactly comes from, it appears to me like an issue in openssl.
But you can easyly fix this by adding “prompt = no” to the section [req] in your certificate conf file. Of course, you need to specify the desired values in the conf file too, since its not asking for it anymore.
Great Article! I ran into the first described issue in my lab and I didn’t have any idea until I seen this this article. It was really helpful!
I didn’t have any idea, because with 2.5 my internal AD CA was working well,…
Awesome job with this post, very informative. I was wondering how do yo go about checking Extension “Basic constraints” when you use an openssl as CA ?
I’m not terrible experienced when it comes to the openssl tool.
But you need to add all the requested extension while requesting the Certificate.
RedHat has a pretty good explanation on hwo to do this: https://access.redhat.com/solutions/28965
The parameter you are looking for should be
basicConstraints=CA:TRUE
I haven’t tested it myself, but hope it helps though 🙂
Hi,
Thanks again for the reply and guidelines !
I managed to add the require extensions to a file . Seems NSX 3.0 versions have stricter checks for validating the existence from the following extensions:
basic constraints
extended key usage
I created a file “server_v3.ext” with the following content :
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
extendedKeyUsage = serverAuth, clientAuth
keyUsage= digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName= @alt_names
[v3_req]
subjectAltName= @alt_names
[alt_names]
DNS.1 = nsx-mngr-01.corp.local
IP.1 = 192.168.120.1
Then I signed the CSR using that file ext (server_v3.ext) :
openssl x509 -req -in nsxt-TEST.csr -CA myCAlucho.pem -CAkey /etc/ssl/private/myCA.key -CAcreateserial -out NSX-TESTfinal.crt -days 3650 -extfile server_v3.ext
This time no complains when I ran API call.
Looks like NSX BU is removing this code check for version 3.0.2 to make our lives easier.
Thanks again for sharing all you knowledge on the post !!!
Glad to hear, that it worked !
And thanks a lot for posting the update!