LB service on NSX Edge not starting after deploying new SSL certificate
search cancel

LB service on NSX Edge not starting after deploying new SSL certificate


Article ID: 325425


Updated On:


VMware NSX Networking


Applying new application profile to virtual server or changes in already applied application profile fails during configuration task

The following errors are seen in the details of the failed task and in the Edge logs:
'bind' : inconsistencies between private key and certificate loaded from PEM file '/var/db/loadbalancer//certs/vip-123.pem'.
Error(s) found in configuration file : /var/db/vmware/vshield/haproxy.conf
Proxy 'vip-123': no SSL certificate specified for bind '' at [/var/db/vmware/vshield/haproxy.conf:459] (use 'crt').
Fatal errors found in configuration.

After applying this change, the Load Balancer service will not start up and all virtual servers configured on the Edge will not be reachable


VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.4.x
VMware NSX for vSphere 6.3.x


Certificate chains need to be imported in a specific order for the certificate to work as expected.
If there are not imported correctly the LB process on the Edge will not match the private key with the certificate and the process will not start up correctly.

The certificates need to be in the following order in the certificate box of the import dialog:
  1. Server certificate
  2. Any number of intermediate CA certificates
  3. Root CA certificates
Please note that each certificate must include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines


Revert the configuration. This will bring the LB service back up.
Then remove the certificate chain on the Edge.
After removing the certificate chain, add the certificate chain according to KB 2113945.