Edge Deployment Failing "OVF certificate validation failed. Error: Error while fetching ovf file. er: (53)"
search cancel

Edge Deployment Failing "OVF certificate validation failed. Error: Error while fetching ovf file. er: (53)"

book

Article ID: 367853

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

OVF Certificate validation failed is seen when attempting to deploy a new Edge Node VM you see an error similar to 

OVF certificate validation failed. Error: Error while fetching ovf file. er: (53) Certificate CN=XX,L=XX,C=XX was not verifiably signed by CN=XX,OU=XX,O=XX,C=XX: certificate does not verify with supplied key

Environment

NSX 4.1.1

Cause

This is a know issue and is caused due to code issue when upgrading to NSX 4.1.1

Resolution

Issue is resolved in NSX 4.1.2

 

Workaround:

The issue occurs due to an incorrect certificate chain in the .tomcat_cert.pem and .vip_cert.pem files.

The paths for these two files are as follows:

/home/secureall/secureall/.store/.tomcat_cert.pem
/home/secureall/secureall/.store/.vip_cert.pem

The certificate chain should be in the following order: “leaf(server) - intermediate - root”

The .vip_cert.pem and .tomcat_cert.pem might also have extra ‘bag attributes’ after each certificate. For example:

-----END CERTIFICATE-----
Bag Attributes: <Empty Attributes>
subject=/DC=XX/DC=XX/DC=XX/CN=Configuration/CN=Services/CN=Public Key Services/CN=XX/CN=XX. Root CA
issuer=/DC=XX/DC=XX/DC=XX/CN=Configuration/CN=Services/CN=Public Key Services/CN=XX/CN=XX. Root CA
-----BEGIN CERTIFICATE-----


Create a backup of the original files .tomcat_cert.pem and .vip_cert.pem.

You will see a 3-certificate chain. The issue occurs because the intermediate and the root certificates get swapped, breaking the chain.

The .pem file will have certificates in the following order: leaf(server) > root > intermediate

Identify the server, root, and intermediate certificates.

You can do this by copying each certificate into a notepad and saving the file with a .cert extension.

Edit the file using Vim and swap the root and intermediate certificates.

Note: The correct order for the certificates is:

1>Server

2>Intermediate

3>Root

Edit the .pem files to correct the order of the certificates and remove the bag attributes. This change needs to be done on all 3 managers.

After editing, restart the HTTP service with the command “start service http”.

You can now proceed to deploy the new Edge.

 

Powered by Wolken Software