How to remediate NSX load balancer upgrade pre-check failing with message regarding OpenSSL 3.0 compliance
Article ID: 368005
Updated On:
Products
Issue/Introduction
Starting with NSX 4.2, OpenSSL has been upgraded to version 3.0. This upgrade introduces stricter requirements for SSL configurations.
If you have configured non-compliant ciphers, protocols, or certificates in NSX LB versions prior to 4.2, you will encounter a warning or error similar to the following during the upgrade pre-check process:
"Found data inconsistencies: There are unsupported certificates, SSL cipher suites or protocols found in LB objects. They are not in compliance with OpenSSL 3.0 starting from NSX version 4.2."
Environment
VMware NSX
Cause
NSX 4.2 upgrades to OpenSSL 3.0 version for security consideration. OpenSSL 3.0 (By default security level 1 and FIPS on) has stricter requirements for the cipher suite/SSL protocol/certificate used in SSL connection.
OpenSSL3.0 validates:
- Certificate:
- 1024 key size certificates are no longer supported.
- SHA-1 and MD5 certificates are not allowed.
- Cipher suite:
- 3DES cipher suites are not supported.
- ECDH- cipher suites are not supported.
- SSL protocol:
- SSLv3, TLS 1.0, and TLS 1.1 are not supported (Note: starting with NSX 4.2, only TLS 1.2 is supported.)
Due to this impact, if a brownfield customer configured a LB with an unsupported certificates, cipher suites or SSL protocols, the customer will meet an upgrade pre-check warning or error during NSX upgrade process.
Resolution
Step 1: Access the LB upgrade pre-check output file
The LB upgrade pre-check generates a detailed output file that lists all impacted load balancer objects.
File Location: /var/log/upgrade-coordinator/lb-precheck-output.txt
The lb-precheck-output.txt file organizes the impacted load balancer objects into six categories, corresponding to the following LB pre-check points:
Policy cipher suite/SSL protocol error
Policy cipher suite/SSL protocol warning
MP cipher suite/SSL protocol error
MP cipher suite/SSL protocol warning
Policy SSL certificate error
MP SSL certificate error
In order to access the LB upgrade pre-check output file:
If the upgrade pre-check was initiated from a specific NSX Manager node, SSH to that NSX Manager node to access the output file.
If the upgrade pre-check was initiated from the NSX virtual IP, SSH to the NSX Manager that is configured with that virtual IP to access the output file.
Step 2: Download and open the KB attached PDF document
The PDF document lists detailed remediation steps for each category in the LB upgrade pre-check output file.
Step 3: Review impacted objects and take corrective actions
Refer to the lb-precheck-output.txt file and the attached PDF document to identify the impacted LB objects and follow the corrective actions for each category.
Warning Case:
Scenario: The load balancer has both supported and unsupported cipher suites or SSL protocols configured.
Impact:
Upgrade will NOT be blocked
A warning message is displayed
A pre-check output file is created
Note: The upgrade process will automatically remove the unsupported cipher suites and protocols. After the upgrade, only supported cipher suites and protocols will remain in the configuration.
Recommended Actions:
Review the impacted load balancer objects listed in lb-precheck-output.txt and refer to the 'Corrective Action' section in the attached PDF for remediation steps.
Validate that LB clients and LB backend servers support the OpenSSL 3.0-compliant cipher suites and protocols defined in your configuration.
Acknowledge the warning.
Proceed with the upgrade.
Error Case:
Scenario: The load balancer has ONLY unsupported cipher suites/SSL protocols configured, OR unsupported certificates are configured on virtual servers or monitors.
Impact:
Upgrade is BLOCKED
An error message is displayed
A pre-check output file is created
Recommended Actions:
Review the impacted load balancer objects listed in lb-precheck-output.txt and refer to the 'Corrective Action' section in the attached PDF for remediation steps.
Update the load balancer configurations to use OpenSSL 3.0-compliant settings:
Replace certificates with 2048-bit or higher keys. SHA-1 and MD5 certificates are not supported.
Configure supported cipher suites (remove 3DES, ECDH-, etc.)
Update SSL protocols to TLS 1.2
Validate that LB clients and LB backend servers support the OpenSSL 3.0-compliant certificates, cipher suites and protocols defined in your configuration.
Verify end-to-end traffic flow from LB Client to LB VIP to pool members.
Run the upgrade pre-check again to confirm all issues are resolved
Proceed with the upgrade only after all errors are cleared
Important Notes:
Do NOT make load balancer configuration changes involving unsupported cipher suites, protocols, or certificates after the upgrade process has started.
Additional Information
Example for LB upgrade pre-check output file
This section provides some example outputs for LB upgrade pre-checks. Please refer to the [Note:] fields for specific explanations and recommended actions.
Additional examples and detailed remediation steps are available in the attached PDF document.
Example for policy cipher suite/SSL protocol errors
==The impacted LB SSL profiles in Policy API==
The impacted LB objects are configured with only unsupported cipher suites/SSL protocols.
PolicyErrorClientProfile:/infra/lb-client-ssl-profiles/PolicyErrorClientProfile(Cipher Suite Error) [Note: This is the LB Client SSL profile which only contains unsupported cipher]
Configured in LB virtual servers:
PolicyVSWithErrorProfile:/infra/lb-virtual-servers/PolicyVSWithErrorProfile [Note: Please update the Client SSL profile with supported ciphers and ensure the LB clients have supported ciphers when connecting to this Virtual Server.]
PolicyErrorServerProfile:/infra/lb-server-ssl-profiles/PolicyErrorServerProfile(Protocol Error) [Note: This is the LB Server SSL profile which only contains unsupported protocol]
Configured in LB virtual servers:
PolicyVSWithErrorProfile:/infra/lb-virtual-servers/PolicyVSWithErrorProfile [Note: Please update the protocol in the server SSL profile to TLS 1.2 and ensure the LB backend servers support TLS 1.2 when communicating with LB]
Configured in LB monitors:
PolicyLBMonitorError:/infra/lb-monitor-profiles/PolicyLBMonitorError [Note: Please update the protocol in the server SSL profile to TLS 1.2 and ensure the LB backend servers support TLS 1.2 when communicating with LB]
==The LB virtual servers which have the impacted LB rules in Policy API==
PolicyErrorRuleCipherError:/infra/lb-virtual-servers/PolicyErrorRuleCipherError(Cipher Suite Error) [Note: The virtual server Client SSL condition rule has only unsupported cipher. Please update the rule with supported ciphers and ensure LB clients have supported cipher suites when connecting to the virtual server]
PolicyVSRuleError:/infra/lb-virtual-servers/PolicyVSRuleError(Protocol Error) [Note: The virtual server Client SSL rule condition has only unsupported protocol. Please update the protocol in the rule condition to TLS 1.2 and ensure LB clients support TLS 1.2 when connecting to the virtual server]
Example for policy cipher suite/SSL protocol warnings
The impacted LB objects are configured with supported and unsupported cipher suites/SSL protocols.
==The impacted LB SSL profiles in Policy API==
default-balanced-client-ssl-profile:/infra/lb-client-ssl-profiles/default-balanced-client-ssl-profile [Note: This is the default LB Client SSL profile which contains TLS 1.1 and TLS 1.2 protocols]
Configured in LB virtual servers:
PolicyVSWithDefaultSSLProfile:/infra/lb-virtual-servers/PolicyVSWithDefaultSSLProfile [Note: This virtual server is configured with default-balanced-client-ssl-profile. Please ensure the LB clients support TLS 1.2 when connecting to this Virtual Server.]
default-balanced-server-ssl-profile:/infra/lb-server-ssl-profiles/default-balanced-server-ssl-profile [Note: This is the default LB Server SSL profile which contains TLS 1.1 and TLS 1.2 protocols]
Configured in LB virtual servers:
PolicyVSWithErrCert:/infra/lb-virtual-servers/PolicyVSWithErrCert [Note: This virtual server is configured with default-balanced-server-ssl-profile. Please ensure the LB backend servers support TLS 1.2 when communicating with LB]
Configured in LB monitors:
PolicyLBMonitorWarning:/infra/lb-monitor-profiles/PolicyLBMonitorWarning [Note: This monitor is configured with default-balanced-server-ssl-profile. Please ensure the LB backend servers support TLS 1.2 when communicating with LB]
==The LB HTTPS monitors with no SSL profile configured (by default TLS1.1 and TLS1.2) in Policy API==
/infra/lb-monitor-profiles/default-https-lb-monitor [Note: This is the default LB HTTPs monitor profile which contains TLS 1.1 and TLS 1.2 protocols]
Configured in LB pools:
PolicyLBPoolWithDefaultHttpsMonitor:/infra/lb-pools/PolicyLBPoolWithDefaultHttpsMonitor [Note: This LB Pool is configured with default-https-lb-monitor. Please ensure the LB backend servers support TLS 1.2 when communicating with LB]
Example for policy certificate errors
The following certificates in LB objects are not in compliance with OpenSSL 3.0.
==The impacted certificates in Policy API==
InvalidCert:/infra/certificates/InvalidCert [Note: This is the certificate which is not compliant with OpenSSL 3.0. Please import a new OpenSSL 3.0-compliant certificate.]
Configured in LB virtual servers:
PolicyVSWithErrCert:/infra/lb-virtual-servers/PolicyVSWithErrCert [Note: Please update the virtual server with the OpenSSL 3.0-compliant certificate.]
Configured in LB monitors:
PolicyLBMonitorError:/infra/lb-monitor-profiles/PolicyLBMonitorError [Note: Please update the monitor with the OpenSSL 3.0-compliant certificate.]
How to check certificate issues
If certificate-related errors are reported in the pre-check output file, follow these steps:
Check the certificate details via the NSX Manager UI or by using the OpenSSL command: openssl x509 -noout -text -in <certificate_pem_file>.
- Check if the certificate key size is incompatible with OpenSSL 3.0
- Minimum key size: 2048 bits (1024-bit keys are rejected)
- Check if the certificate uses SHA-1 or MD5 hash algorithms
- These algorithms are no longer supported
- Review detailed error messages in the migration log if needed: /var/log/upgrade-coordinator/logical-migration.log
Understanding LB upgrade pre-check output categories
The lb-precheck-output.txt file organizes impacted load balancer objects into six categories based on specific check points.
Please refer to the table below to locate the corresponding section in the attached PDF and review the recommended remediation steps.
| Categories | Check points in lb-precheck-output.txt | PDF Sections | Note |
|---|---|---|---|
| Category 1
| Policy cipher suite/SSL protocol error | 3.1 Category 1: Check Policy cipher suite/SSL protocol error | |
==The impacted LB SSL profiles in Policy API== | 3.1.1 The impacted LB SSL profiles in Policy API |
| |
==The LB virtual servers which have the impacted LB rules in Policy API== | 3.1.2 The LB virtual servers which have the impacted LB rules in Policy API | The Policy LB virtual server Client SSL rule condition has only unsupported ciphers or protocols configured. | |
Category 2 | Policy cipher suite/SSL protocol warning | 3.2 Category 2: Check Policy cipher suite/SSL protocol warning |
|
==The impacted LB SSL profiles in Policy API== | 3.2.1 The impacted LB SSL profiles in Policy API |
| |
==The LB virtual servers which have the impacted LB rules in Policy API== | 3.2.2 The LB virtual servers which have the impacted LB rules in Policy API | The Policy LB virtual server Client SSL rule condition has both supported and unsupported ciphers or protocols configured. | |
==The LB HTTPS monitors with no SSL profile configured (by default TLS1.1 and TLS1.2) in Policy API== | 3.2.3 The LB HTTPS monitors with no SSL profile configured (by default TLS1.1 and TLS1.2) in Policy API | When no specific LB SSL profile is configured for an LB HTTPS monitor, the internal configuration sets TLS 1.1 and TLS 1.2 by default. TLS 1.1 is not OpenSSL 3.0 compliant and will be removed after upgrade. | |
| Category 3 | MP cipher suite/SSL protocol error | 3.3 Category 3: Check MP cipher suite/SSL protocol error |
|
==The impacted LB HTTPS monitors in MP API /api/v1/loadbalancer/monitors == | 3.3.1 The impacted LB HTTPS monitors in MP API /api/v1/loadbalancer/monitors |
| |
==The impacted LB rules in MP API /api/v1/loadbalancer/rules == | 3.3.2 The impacted LB rules in MP API /api/v1/loadbalancer/rules |
| |
==The impacted LB SSL profiles in MP API /api/v1/loadbalancer/client-ssl-profiles == | 3.3.3 The impacted LB SSL profiles in MP API /api/v1/loadbalancer/client-ssl-profiles |
| |
==The impacted LB SSL profiles in MP API /api/v1/loadbalancer/server-ssl-profiles== | 3.3.4 The impacted LB SSL profiles in MP API /api/v1/loadbalancer/server-ssl-profiles |
| |
| Category 4 | MP cipher suite/SSL protocol warning | 3.4 Category 4: Check MP cipher suite/SSL protocol warning |
|
==The impacted LB SSL profiles in MP API /api/v1/loadbalancer/client-ssl-profiles == | 3.4.1 The impacted LB SSL profiles in MP API /api/v1/loadbalancer/client-ssl-profiles | ||
==The impacted LB SSL profiles in MP API /api/v1/loadbalancer/server-ssl-profiles== | 3.4.2 The impacted LB SSL profiles in MP API /api/v1/loadbalancer/server-ssl-profiles |
| |
==The impacted LB rules in MP API /api/v1/loadbalancer/rules == | 3.4.3 The impacted LB rules in MP API /api/v1/loadbalancer/rules | ||
==The impacted LB HTTPS monitors in MP API /api/v1/loadbalancer/monitors == | 3.4.4 The impacted LB HTTPS monitors in MP API /api/v1/loadbalancer/monitors |
| |
| Category 5 | Policy SSL certificate error | 3.5 Category 5: Check Policy SSL certificate error |
|
==The impacted certificates in Policy API== | 3.5.1 The impacted certificates in Policy API |
| |
| Category 6 | MP SSL certificate error | 3.6 Category 6: Check MP SSL certificate error |
|
==The impacted certificates in MP API /api/v1/trust-management/certificates == | 3.6.1 The impacted certificates in MP API /api/v1/trust-management/certificates |
|
Attachments
Feedback
