Resolving VMware NSX Error MP029 / 289: SSL Certificate Replacement Guide

Alexey Koznov -

The Problem: SSL Certificate Replacement Error

We attempted to replace SSL certificates on NSX Manager nodes using the following API call, as documented in VMware's official guide:

POST https://<NSX-Manager-FQDN>/api/v1/trust-management/certificates/<new-cert-id>?action=apply_certificate&service_type=API&node_id=<node-id>

Example with Data:

POST https://nsx01a-mgr.local.domain/api/v1/trust-management/certificates/c9046080-735e-4515-962c-61c8173c7edf?action=apply_certificate&service_type=API&node_id=c12a0142-af3e-881e-7623-9f4f364b44db

However, this resulted in the following error:

{
    "httpStatus": "BAD_REQUEST",
    "error_code": 289,
    "module_name": "common-services",
    "error_message": "Principal 'admin' with role '[enterprise_admin]' attempts to delete or modify an object of type nsx$Certificate it doesn't own. (createUser=nsx_policy, allowOverwrite=null)"
}

Key IDs in the Examples

PlaceholderExample ValueDescription
<new-cert-id>c9046080-735e-4515-962c-61c8173c7edfID of the SSL certificate being applied.
<node-id>c12a0142-af3e-881e-7623-9f4f364b44dbID of the NSX Manager node.

Root Cause

The error indicated that the certificate’s ownership was tied to node_mgmt, which had lost its role permissions. As a result, the admin user lacked the necessary privileges to modify the certificate.

To resolve the issue, VMware Support provided a step-by-step procedure to release the old certificate and apply the new one. Here’s how to perform these steps on NSX Manager node A:

1. Release the Old Certificate

Prepare a JSON payload file (request_a.json) with the following content:

{
    "node_id": "<node-id>",
    "service_type": "API"
}

Example with Data:

{
    "node_id": "c12a0142-af3e-881e-7623-9f4f364b44db",
    "service_type": "API"
}

Run the following command to release the old certificate:

curl -k -H "Content-Type: application/json" \
     -H "X-NSX-Username:admin" \
     -H "X-NSX-Groups:superuser" \
     -X POST "http://127.0.0.1:7440/nsxapi/api/v1/trust-management/certificates/<old-cert-id>?action=release" \
     -d @request_a.json

Example with Data:

curl -k -H "Content-Type: application/json" \
     -H "X-NSX-Username:admin" \
     -H "X-NSX-Groups:superuser" \
     -X POST "http://127.0.0.1:7440/nsxapi/api/v1/trust-management/certificates/b13ca0d1-717d-4109-a7aa-260c5808083d?action=release" \
     -d @request_a.json

2. Apply the New Certificate

To apply the new certificate, use the following command:

curl -k -X POST -H "Content-Type: application/json" \
     -H 'X-NSX-Username:system' \
     -H 'X-NSX-Groups:superuser' \
     "http://127.0.0.1:7440/nsxapi/api/v1/trust-management/certificates/<new-cert-id>?action=apply_certificate&service_type=API&node_id=<node-id>"

Example with Data:

curl -k -X POST -H "Content-Type: application/json" \
     -H 'X-NSX-Username:system' \
     -H 'X-NSX-Groups:superuser' \
     "http://127.0.0.1:7440/nsxapi/api/v1/trust-management/certificates/c9046080-735e-4515-962c-61c8173c7edf?action=apply_certificate&service_type=API&node_id=c12a0142-af3e-881e-7623-9f4f364b44db"

3. Repeat for Other Nodes

Repeat the same procedure for all other NSX Manager nodes, replacing the certificate and node IDs as appropriate.

Key Takeaways

  • Permission Issues: The error occurred because the certificate’s owner (node_mgmt) lacked proper role permissions.
  • System Role: Using the system role resolved the permission issue, allowing the certificate to be successfully applied.
  • Consistency: Always verify and validate certificates before applying them to avoid downtime or configuration mismatches.

By following this procedure, you can ensure smooth SSL certificate replacements in your VMware NSX environment. Let us know in the comments if you’ve faced similar issues or have additional tips to share!