• You see a message similar to the following from the load balancer upgrade pre-checks:
  "Found data inconsistencies: There are unsupported certificates, SSL cipher suites or protocols found in LB objects. They are not in compliance with OpenSSL 3.0 starting from NSX version 4.2."

VMware NSX

NSX 4.2 upgrades to OpenSSL3.0 version for security consideration. OpenSSL3.0 (By default security level 1 and FIPS on) has stricter requirements for the cipher suite/SSL protocol/certificate used in SSL connection.

OpenSSL3.0 validates:

1. Certificate:
   1. 1024 key size cert is no longer supported.
   2. SHA1, MD5 cert are not allowed.
2. Cipher suite:
   1. 3DES cipher suites are not supported.
   2. ECDH- cipher suites are not supported.
3. SSL protocol:
   1. SSLv3 TLS1.1 TLS1.0 protocols are not supported.

Due to this impact, if a brownfield customer configured a LB with an unsupported certificate/cipher suite/SSL protocol, then the customer will be met with an upgrade pre-check warning or error during NSX upgrade process.

There is a LB upgrade pre-check output file created inside the NSX Manager. The file is:

/var/log/upgrade-coordinator/lb-precheck-output.txt

Note: The lb-precheck-output.txt is generated in one NSX Manager appliance. You may need to check all the NSX Manager appliances in the cluster to find the file, or the latest file if prechecks were run multiple times.

A workaround to complete the upgrade is to disable the load-balancer, and all services where an SSL certificate is attached: monitors, virtual servers, and SSL profiles. This will allow the upgrade to complete, and you can resolve your certificates on the new version of NSX.

In the case of an upgrade pre-check warning or error, you can review the lb-precheck-output.txt file and use the attached PDF (NSX_OpenSSL_Upgrade___NSX_LB_impact.pdf) to review the specific categories and the resolution for each warning/error.

If necessary, a new version of the file can be re-generated by re-running the upgrade prechecks (again, check all NSX Manager appliances to find the latest file).