When attempting to upgrade the NSX Edges, you see the messages similar to the following:
In the upgrade logs from the UI,
Prepare edge upgrade bundle <url>.nub failed on edge TransportNode <nodeID>: clientType EDGE , target edge fabric node id <nodeID>, return status Download and verify bundle failed with msg: Closing connection 0 .
or
The certificate with id <UUID> failed to parse with error: null. Please delete (if unused) or replace this certificate prior to upgrading
In the Edge Node var/syslog log file,
Error downloading nub '<url>.nub', output msg: , error msg: * Trying (with httplib) <managerfqdn>:443...#012* certificate verification from <managerfqdn>:443 failed: Certificate <certificate details> does not use supported signature algorithm.#012* Closing connection 0#012curl_wrapper: (53) <certificate details> does not use supported signature algorithm.#012
The syslog messages confirm that the chosen certificate is using an unsupported signature algorithm. This requirement applies to all the certificates in the chain (leaf, intermediate and root). Unsupported algorithms included SHA1 and PSS.
Check all the certificates within the chain to identify the certificate with the unsupported signature algorithm.
Generate a new certificate using one of the supported encryption algorithms documented here Create a Certificate Signing Request File
Apply the new certificate after the root CA sends the new certificate.
Retry the upgrade.