Upgrading to VCF 5.2: NSX Upgrade failing at "The certificate with id <UUID> failed to parse with error: null."
search cancel

Upgrading to VCF 5.2: NSX Upgrade failing at "The certificate with id <UUID> failed to parse with error: null."

book

Article ID: 376184

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Upgrading to VCF 5.2: NSX Upgrade fails with

"The certificate with id ######-####-####-####-########## failed to parse with error: null. Please delete (if unused) or replace this certificate prior to upgrading."

  • In the SDDC Manager log sddc/var/log/vmware/vcf/lcm/lcm-debug.log, an error similar to this example is present

2024-08-27T13:31:14.558+0000 ERROR [vcf_lcm,0000000000000000,0000,upgradeId=########-####-####-####-##########,resourceType=NSX_T_PARALLEL_CLUSTER,resourceId=<SDDC Manager FQDN>:_ParallelClusterUpgradeElement,bundleElementId=
########-####-####-####-##########] [c.v.e.s.l.p.i.n.s.NsxtUpgradeStageRunner,Upgrade-5] NSX pre-upgrade checks failed Certificate Validity Checks: [The certificate with id ########-####-####-####-########## failed to parse with error: null. Please delete (if unused) or replace this certificate prior to upgrading.]: <NSX-Manager-Node01-FQDN>, <NSX-Manager-Node02-FQDN>, <NSX-Manager-Node03-FQDN>

  • In the NSX manager log /var/log/upgrade-coordinator/upgrade-coordinator.log, an error similar to this example is present

2024-08-27T13:30:20.761Z ERROR pool-51-thread-2 CertUtils 1447312 - [nsx@6876 comp="nsx-manager" errorCode="MP2071" level="ERROR" subcomp="upgrade-coordinator"] Certificate uploaded with insufficient signature algorithm.
2024-08-27T13:30:20.761Z ERROR pool-51-thread-2 CertificateInspectionTask 1447312 SYSTEM [nsx@6876 comp="nsx-manager" errorCode="MP30460" level="ERROR" subcomp="upgrade-coordinator"] ########-####-####-####-##########
2024-08-27T13:30:20.829Z  INFO pool-51-thread-2 UpgradeServiceImpl 1447312 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="upgrade-coordinator"] Executing cleanUp for check Certificate Validity Checks
2024-08-27T13:30:20.829Z  WARN pool-51-thread-2 UpgradeServiceImpl 1447312 SYSTEM [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="upgrade-coordinator"] [PUC] Pre-upgrade check InspectionTaskInfo[id=certificateCheck, name=Certificate Validity Checks,description=Checks if all the certificates are properly formatted, in order to avoid that during upgrade a newer JVM  rejects certificates which were accepted previously,componentType=MP, needsAcknowledgement=false,acknowledgement=false,needsResolution=false,resolution=false,resolutionError=<null>] failed with result BasicInspectionTaskResult{status=FAILURE, taskInfo=InspectionTaskInfo[id=certificateCheck,name=Certificate Validity Checks,description=Checks if all the certificates are properly formatted, in order to avoid that during upgrade a newer JVM  rejects certificates which were accepted previously,componentType=
MP,needsAcknowledgement=false,acknowledgement=false,needsResolution=false,resolution=false,resolutionError=<null>], failureMessages=null, failures=[{"moduleName":"upgrade-coordinator","errorCode":30460,"errorMessage": "The certificate with id ########-####-####-####-########## failed to parse with error: null. Please delete (if unused) or replace this certificate prior to upgrading."}]}

Environment

VCF 5.2
NSX 4.2.0

Cause

This failure occurs when a Certificate contains an unsupported cipher such as RSA-SHA1. This may be any Certificate in the Certificate chain. 

The problem certificate may have been imported on an older version of NSX when this was supported. 

Resolution

Create a new Certificate with a supported cipher and key length and replace the certificate identified in the error message.

  • Key length - should be a minimum of 1024 bits long for RSA 

  • Supported ciphers -

SHA256WithRsaEncryption
SHA384WithRsaEncryption
SHA512WithRsaEncryption
ECDSA-WITH-SHA256
ECDSA-WITH-SHA384
ECDSA-WITH-SHA512
DSA-WITH-SHA256

Additional Information

Powered by Wolken Software