public

Resolving VMware NSX Error MP029 / 289: SSL Certificate Replacement Guide

Facing error codes like 289 / 36235 while replacing SSL certificates in VMware NSX Managers? Learn the step-by-step solution to troubleshoot and resolve certificate application errors, handle permission conflicts, and ensure secure connections using VMware's recommended practices.

10 hours ago

Latest Post Fixing Service Account Duplication in VMware VCF: Resolving vCenter / NSX Connection Issues by Alexey Koznov public

The Problem: SSL Certificate Replacement Error

We attempted to replace SSL certificates on NSX Manager nodes using the following API call, as documented in VMware's official guide:

POST https://<NSX-Manager-FQDN>/api/v1/trust-management/certificates/<new-cert-id>?action=apply_certificate&service_type=API&node_id=<node-id>

Example with Data:

POST https://nsx01a-mgr.local.domain/api/v1/trust-management/certificates/c9046080-735e-4515-962c-61c8173c7edf?action=apply_certificate&service_type=API&node_id=c12a0142-af3e-881e-7623-9f4f364b44db

However, this resulted in the following error:

{
    "httpStatus": "BAD_REQUEST",
    "error_code": 289,
    "module_name": "common-services",
    "error_message": "Principal 'admin' with role '[enterprise_admin]' attempts to delete or modify an object of type nsx$Certificate it doesn't own. (createUser=nsx_policy, allowOverwrite=null)"
}

Key IDs in the Examples

PlaceholderExample ValueDescription
<new-cert-id>c9046080-735e-4515-962c-61c8173c7edfID of the SSL certificate being applied.
<node-id>c12a0142-af3e-881e-7623-9f4f364b44dbID of the NSX Manager node.

Root Cause

The error indicated that the certificate’s ownership was tied to node_mgmt, which had lost its role permissions. As a result, the admin user lacked the necessary privileges to modify the certificate.

To resolve the issue, VMware Support provided a step-by-step procedure to release the old certificate and apply the new one. Here’s how to perform these steps on NSX Manager node A:

1. Release the Old Certificate

Prepare a JSON payload file (request_a.json) with the following content:

{
    "node_id": "<node-id>",
    "service_type": "API"
}

Example with Data:

{
    "node_id": "c12a0142-af3e-881e-7623-9f4f364b44db",
    "service_type": "API"
}

Run the following command to release the old certificate:

curl -k -H "Content-Type: application/json" \
     -H "X-NSX-Username:admin" \
     -H "X-NSX-Groups:superuser" \
     -X POST "http://127.0.0.1:7440/nsxapi/api/v1/trust-management/certificates/<old-cert-id>?action=release" \
     -d @request_a.json

Example with Data:

curl -k -H "Content-Type: application/json" \
     -H "X-NSX-Username:admin" \
     -H "X-NSX-Groups:superuser" \
     -X POST "http://127.0.0.1:7440/nsxapi/api/v1/trust-management/certificates/b13ca0d1-717d-4109-a7aa-260c5808083d?action=release" \
     -d @request_a.json

2. Apply the New Certificate

To apply the new certificate, use the following command:

curl -k -X POST -H "Content-Type: application/json" \
     -H 'X-NSX-Username:system' \
     -H 'X-NSX-Groups:superuser' \
     "http://127.0.0.1:7440/nsxapi/api/v1/trust-management/certificates/<new-cert-id>?action=apply_certificate&service_type=API&node_id=<node-id>"

Example with Data:

curl -k -X POST -H "Content-Type: application/json" \
     -H 'X-NSX-Username:system' \
     -H 'X-NSX-Groups:superuser' \
     "http://127.0.0.1:7440/nsxapi/api/v1/trust-management/certificates/c9046080-735e-4515-962c-61c8173c7edf?action=apply_certificate&service_type=API&node_id=c12a0142-af3e-881e-7623-9f4f364b44db"

3. Repeat for Other Nodes

Repeat the same procedure for all other NSX Manager nodes, replacing the certificate and node IDs as appropriate.

Key Takeaways

By following this procedure, you can ensure smooth SSL certificate replacements in your VMware NSX environment. Let us know in the comments if you’ve faced similar issues or have additional tips to share!

Alexey Koznov

Published 10 hours ago

Comments?

Leave us your opinion.