• You see a message similar to the following from the load balancer upgrade pre-checks:
  "Found data inconsistencies: There are unsupported certificates, SSL cipher suites or protocols found in LB objects. They are not in compliance with OpenSSL 3.0 starting from NSX version 4.2."

VMware NSX 4.2

NSX 4.2 upgrades to OpenSSL3.0 version for security consideration. OpenSSL3.0 (By default security level 1 and FIPS on) has stricter requirements for the cipher suite/SSL protocol/certificate used in SSL connection.

OpenSSL3.0 validates:

1. Certificate:
   1. 1024 key size cert is no longer supported.
   2. SHA1, MD5 cert are not allowed.
2. Cipher suite:
   1. 3DES cipher suites are not supported.
   2. ECDH- cipher suites are not supported.
3. SSL protocol:
   1. SSLv3 TLS1.1 TLS1.0 protocols are not supported.

Due to this impact, if a brownfield customer configured a LB with an unsupported certificate/cipher suite/SSL protocol, then the customer will be met with an upgrade pre-check warning or error during NSX upgrade process.

There is a LB upgrade pre-check output file created inside the NSX manager. The file is:

/var/log/upgrade-coordinator/lb-precheck-output.txt

A workaround to complete the upgrade is to disable the load-balancer, and all services where an SSL certificate is attached: monitors, virtual servers, and SSL profiles. This will allow the upgrade to complete, and you can resolve your certificates on the new version of NSX.

In the case of an upgrade pre-check warning or error, you can review the lb-precheck-output.txt file and use the attached PDF (NSX_OpenSSL_Upgrade___NSX_LB_impact.pdf) to review the specific categories and the resolution for each warning/error.