V2T migration fails with error "HTTP Error: 400: Certificate chain validation failed. Make sure a valid chain is provided in order leaf,intermediate,root certificate."
search cancel

V2T migration fails with error "HTTP Error: 400: Certificate chain validation failed. Make sure a valid chain is provided in order leaf,intermediate,root certificate."

book

Article ID: 384010

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • V2T migration fails with error "HTTP Error: 400: Certificate chain validation failed. Make sure a valid chain is provided in order leaf,intermediate,root certificate."
  • Log files /var/log/migration-coordinator/migration-coordinator.log
    Execution monitor service invoked to react to failure of node ConfigApplyL3ToL7 [Config migration failed [Reason: HTTP Error: 400: Certificate chain validation failed. Make sure a valid chain is provided in order leaf,intermediate,root certificate. for url: http://localhost:7440/nsxapi/api/v1/infra/certificates/certificate-##]]

 

Environment

VMware NSX-T Data Center 3.x

VMware NSX 4.x

Cause

Certificate-##  mentioned in the error is a certificate that was fetched from the NSX-V side. The migration fails because of a certificate chain problem when the certificate is processed by NSX-T.  Causes of this are:

  • Fetching SSO certificates. In older NSX-V versions, SSO certificates were not designated as system certificates, which leads the migration process to retrieve them. However, the migration fails since these certificates are sourced from vCenter (VC) and lack the private key on NSX-V.
  • Expired certificates.  Expired certificates break the trust chain and cause validation in NSX-T to fail.

Resolution

The workaround is to remove the SSO certificates that were detected from NSX-V config, or remove broken certificate chains.

Steps to remove the certificates from the migration configuration.

1. Rollback the migration to the last good stage.
2. From the /var/log/migration-coordinator/v2t/nsxv-config directory run the below grep command to get the list of SSO certs.
# grep -Ril "sso"

3. If there are matches, the results of that command will have output like: services.truststore.certificate.certificate-##
Collect the certificate IDs from the output.

If no output was matched, use the certificate identified in the initial error message (e.g. http://localhost:7440/nsxapi/api/v1/infra/certificates/certificate-##).

4. Edit the below files:

/var/log/migration-coordinator/v2t/nsxv-config/secrets/services.truststore.v2tmigration.certificate
/var/log/migration-coordinator/v2t/nsxv-config/secret1/services.truststore.v2tmigration.certificate
/var/log/migration-coordinator/v2t/nsxv-config/secret2/services.truststore.v2tmigration.certificate

The files will have contents like the following, and when you find the matching certificate-## objectId, remove the entire highlighted block.

{
    "api": "/api/2.0/services/truststore/v2tmigration/certificate",
    "encryptedTrustObject": {
        ...
        "trustObjects": {
            "trustObject": [
                {
                    "clientHandle": null,
                    "extendedAttributes": null,
                    "isTemporal": "false",
                    "isUniversal": "false",
                    "name": "############################################",
                    "nodeId": "########-####-####-####-############",
                    "objectId": "certificate-##",
                    "objectTypeName": "Certificate",
                    ...
                },
            ...
            ]
        }
    }
}

5. Re-run the migration.

Powered by Wolken Software