Replacing NSX-T Controller SSL Certificates with Lets Encrypt

Another certificate management post as Lets Encrypt have removed their old root certificates. This post shows how to update signed certificates for NSX-T.

NSX-T checks certificate chains when importing certificates, and unless the full chain of trust is available, you will not be able to use the certificate with NSX-T.

Another certificate management post as Lets Encrypt have removed their old root certificates. This post shows how to update signed certificates for NSX-T.

NSX-T checks certificate chains when importing certificates, and unless the full chain of trust is available, you will not be able to use the certificate with NSX-T.

This link here shows the chain of trust for Lets Encrypt certificates.

https://letsencrypt.org/certificates/

The certificate chain for Lets Encrypt is as follows:

your-certificate -> R3 -> ISRG Root X1

Your certificate is delivered to you after you request a certificate using Lets Encrypt services, the file that contains your certificate is named cert.pem.

The R3 certificate can be downloaded with this link

https://letsencrypt.org/certs/lets-encrypt-r3.pem

The ISRG Root X1 certificate can be downloaded with this link

https://letsencrypt.org/certs/isrgrootx1.pem

To create a complete chain that NSX-T can accept, combine the contents of the files above into a single file in this order: cert, R3, X1. Like this

-----BEGIN CERTIFICATE-----
cert.pem content
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
R3.pem content
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
X1.pem content
-----END CERTIFICATE-----

Now you can use this new file to import and use this new certificate in NSX-T. It will look similar to this if successful.

Certificate cannot be deleted because it is used by 1 MP node(s)

Attempting to delete a certificate in NSX-T Manager fails with the error:

Certificate cannot be deleted because it is used by 1 MP node(s).

This post describes how to fix this issue.

Attempting to delete a certificate in NSX-T Manager fails with the error:

Certificate cannot be deleted because it is used by 1 MP node(s).

This is due to the certificate not being released after it was used before by a NSX-T controller node.

To fix this first get the details for the certificate in question.

GET https://nsx.vmwire.com/api/v1/trust-management/certificates/<cert-id>

At the bottom of the Body in the response you’ll see something like the following:

{
    "service_type": "API",
    "node_id": "c1862a42-f52e-af01-f090-ed6482cad394"
}'

Now, you can release the node from that certificate by first logging into one of your NSX-T controller nodes, this only works from the node directly and not from the API.

Log into a Controller node as admin, then type st e, enter the admin password and you should be at the shell.

Post this command to release the certificate from that node.

curl -k -X POST -H "Content-Type: application/json" -H 'X-NSX-Username:admin' -H 'X-NSX-Groups:superuser' -d '{"service_type":"API","node_id":"c1862a42-f52e-af01-f090-ed6482cad394"}'  "http://localhost:7440/nsxapi/api/v1/trust-management/certificates/21fd7e8a-3a2e-4938-9dc7-5f3eccd791e7?action=release"

Once done, you can now delete that certificate from NSX-T.

This is the workaround that is referred to in this KB article but not discussed.