NSX-T: Release associated invalid node ID from certificate


Summary:

Basically had an expiring certificate registered in NSX-T that was associated to a node_id that is no longer valid.  Long story short, there wasn't anything obvious in API to delete or disassociate a certificate from a node_id for 3.2.2.  Not sure how things got in this state, but annotating for future reference.  This may change in future revisions, so always check API for latest.

Details:

Effectively had a stale node associated w/ a certificate that was expiring.  Could not delete certificate until that node was disassociated from the certificate.

  • To get certificate details and associated node_id's, you can use the following curl call (UI works too):
    • curl -k -X GET -H "Content-Type: application/json" -u admin https://<manager ip>/api/v1/trust-management/certificates/<cert UUID>
    • Above will return something like this:


  • Below must be run from one of the manager nodes via elevation to root:
  • ONLY RUN THIS IF YOU ARE ABSOLUTELY SURE OF WHAT YOU ARE DOING!
    • curl -v -H 'x-nsx-username: admin' -k -H "Content-Type: application/json" -X POST "http://127.0.0.1:7440/nsxapi/api/v1/trust-management/certificates/<cert UUID>?action=release" -d '{"node_id": "node"}'
Above call is not publicly documented from what I was able to find, so use at your own risk.

Comments

Popular posts from this blog

NSX-T: vCenter and NSX-T Inventory out of Sync (Hosts in vSphere not showing up in NSX-T)

MacOS: AnyConnect VPN client was unable to successfully verify the IP forwarding table modifications.

Azure VMware Solution: NSX-T Active/Active T0 Edges...but