Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
NAPP installation failing at 70% ; This scenario will be commonly hit in a Federation setup. In the /var/log/proton/napps.log on the NSX Manager, you see similar output to: 2023-03-31 17:22:00 ERROR api_request:133 [MainThread] - Unexpected error for POST /napp/api/v1/platform/trust-management/certificates, status: 500, body: b'{"error_code":940108,"module_name":"TrustManager","error_message":"Failed to add certificate. {0}"}' 2023-03-31 17:22:00 WARNING api_request:47 [MainThread] - Retry #3: Remote node request failed with error msg: POST /napp/api/v1/platform/trust-management/certificates returned status: 500, body: b'{"error_code":940108,"module_name":"TrustManager","error_message":"Failed to add certificate. {0}"}', 2023-03-31 17:22:00 ERROR api_request:28 [MainThread] - Description: POST: /napp/api/v1/platform/trust-management/certificates 2023-03-31 17:22:00 ERROR api_request:29 [MainThread] - Request failed with error msg: POST /napp/api/v1/platform/trust-management/certificates returned status: 500, body: b'{"error_code":940108,"module_name":"TrustManager","error_message":"Failed to add certificate. {0}"}' 2023-03-31 17:22:00 ERROR __main__:345 [MainThread] - Exit unexpectedly Traceback (most recent call last): File "/config/vmware/napps/charts/nsxi-platform-advanced/files/registration/registration.py", line 343, in <module> main(args) File "/config/vmware/napps/charts/nsxi-platform-advanced/files/registration/registration.py", line 296, in main _register_manager_certs(fqdn) File "/config/vmware/napps/charts/nsxi-platform-advanced/files/registration/registration.py", line 245, in _register_manager_certs _push_certs(host, node_certs, "NSX_UA_NODE") File "/config/vmware/napps/charts/nsxi-platform-advanced/files/registration/registration.py", line 267, in _push_certs "POST: %s" % POST_CLOUDNATIVE_PLATFROM_CERT) File "/config/vmware/napps/charts/nsxi-platform-advanced/files/registration/api_request.py", line 30, in assert_request_success raise RuntimeError("Request failed with error msg: %s" % error_msg) RuntimeError: Request failed with error msg: POST /napp/api/v1/platform/trust-management/certificates returned status: 500, body: b'{"error_code":940108,"module_name":"TrustManager","error_message":"Failed to add certificate. {0}"}' 2023-03-31 17:22:00,230 ERROR nsx_kubernetes_lib.vmware.kubernetes.common.utility[37]:execute Unexpected error occurred: 2023-03-31 17:22:00,231 ERROR __main__[53]:main Error executing function execute_registration_script. Error message: if you check trust-manager POD logs at /var/log/napps/XXXXXXXXXXX/nsxi-platformfrom/trust-manager-XXXXXXXXX , you see similar output to: "ERROR" subcomp="trust-manager-core"] Failed to add certificate com.vmware.nsx.k8splatform.trustmanager.common.exceptions.CertificateValidationException: Some error has occurred at com.vmware.nsx.k8splatform.trustmanager.common.utils.X509CertificateUtil.verify(X509CertificateUtil.java:291) at com.vmware.nsx.k8splatform.trustmanager.service.impl.TrustManagerServiceImpl.verifyCertificateEntity(TrustManagerServiceImpl.java:334) at com.vmware.nsx.k8splatform.trustmanager.service.impl.TrustManagerServiceImpl.addCertificate(TrustManagerServiceImpl.java:119) at com.vmware.nsx.k8splatform.trustmanager.api.TrustManagementApiImpl.addCertificate(TrustManagementApiImpl.java:47) at sun.reflect.GeneratedMethodAccessor259.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:124) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:167) at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:219) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:79) at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:475) at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:397) at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81) at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:255) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244) at org.glassfish.jersey.internal.Errors.process(Errors.java:292) at org.glassfish.jersey.internal.Errors.process(Errors.java:274) at org.glassfish.jersey.internal.Errors.process(Errors.java:244) at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265) at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:234) at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:684) at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:394) at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:346) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:366) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:319) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
There are 2 certificates coming as response to the /nsxapi/api/v1/trust-management/certificates API (where service_type is set to "API") - one of which is ca-signed and the other self-signed. The intelligence registration was failing because the registration scripts were trying to add the ca-signed certificate to trust manager as the leaf certificate and that was failing.
This behavior its fixed on NSX 4.0.0.1.
We can skip these certs in the registration script to avoid trust-manager throwing errors because trust manager refuses to accept CA signed certificates.If you believe you have encountered this issue, please open a support request and refer to this KB article.