LB service on NSX Edge not starting after deploying new SSL certificate
Article ID: 325425
Updated On:
Products
VMware NSX
Issue/Introduction
Symptoms:
Applying new application profile to virtual server or changes in already applied application profile fails during configuration task
The following errors are seen in the details of the failed task and in the Edge logs:
After applying this change, the Load Balancer service will not start up and all virtual servers configured on the Edge will not be reachable
Applying new application profile to virtual server or changes in already applied application profile fails during configuration task
The following errors are seen in the details of the failed task and in the Edge logs:
'bind 192.168.1.1:443' : inconsistencies between private key and certificate loaded from PEM file '/var/db/loadbalancer//certs/vip-123.pem'.
Error(s) found in configuration file : /var/db/vmware/vshield/haproxy.conf
Proxy 'vip-123': no SSL certificate specified for bind '192.168.1.1:443' at [/var/db/vmware/vshield/haproxy.conf:459] (use 'crt').
Fatal errors found in configuration.
Error(s) found in configuration file : /var/db/vmware/vshield/haproxy.conf
Proxy 'vip-123': no SSL certificate specified for bind '192.168.1.1:443' at [/var/db/vmware/vshield/haproxy.conf:459] (use 'crt').
Fatal errors found in configuration.
After applying this change, the Load Balancer service will not start up and all virtual servers configured on the Edge will not be reachable
Environment
VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.4.x
VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.4.x
VMware NSX for vSphere 6.3.x
Cause
Certificate chains need to be imported in a specific order for the certificate to work as expected.
If there are not imported correctly the LB process on the Edge will not match the private key with the certificate and the process will not start up correctly.
The certificates need to be in the following order in the certificate box of the import dialog:
If there are not imported correctly the LB process on the Edge will not match the private key with the certificate and the process will not start up correctly.
The certificates need to be in the following order in the certificate box of the import dialog:
- Server certificate
- Any number of intermediate CA certificates
- Root CA certificates
Resolution
Revert the configuration. This will bring the LB service back up.
Then remove the certificate chain on the Edge.
After removing the certificate chain, add the certificate chain according to KB 2113945.
Then remove the certificate chain on the Edge.
After removing the certificate chain, add the certificate chain according to KB 2113945.
Feedback
Yes
No
Powered by
