"HTTP Error: 400: Certificate chain validation failed. Make sure a valid chain is provided in order leaf,intermediate,root certificate."
Execution monitor service invoked to react to failure of node ConfigApplyL3ToL7 [Config migration failed [Reason: HTTP Error: 400: Certificate chain validation failed. Make sure a valid chain is provided in order leaf,intermediate,root certificate. for url: http://localhost:7440/nsxapi/api/v1/infra/certificates/certificate-##]]
VMware NSX-T datacenter
Certificate-## mentioned in the error is a SSO related certificate that was fetched from the NSX-V side. The migration fails because it attempts to fetch SSO certificates. In older NSX-V versions, SSO certificates were not designated as system certificates, which leads the migration process to retrieve them. However, the migration fails since these certificates are sourced from vCenter (VC) and lack the private key on NSX-V.
Workaround is to remove all the SSO certificates that were detected from NSX-V config.
Steps to remove the certificates from configuration.
1. Rollback the migration to the last good stage.
2. From the /var/log/migration-coordinator/v2t/nsxv-config
directory run the below grep command to get the list of SSO certs.
# grep -Ril "CN=ssoserverSign"
3. Collect the certificate IDs from previous step and remove entries from encryptedTrustObject.trustObjects.trustObject
from below locations :
/var/log/migration-coordinator/v2t/nsxv-config/secret1/services.truststore.v2tmigration.certificate
/var/log/migration-coordinator/v2t/nsxv-config/secrets/services.truststore.v2tmigration.certificate
/var/log/migration-coordinator/v2t/nsxv-config/secret2/services.truststore.v2tmigration.certificate
4. Rerun the migration.