V2T migration fails with error "HTTP Error: 400: Certificate chain validation failed. Make sure a valid chain is provided in order leaf,intermediate,root certificate."
search cancel

V2T migration fails with error "HTTP Error: 400: Certificate chain validation failed. Make sure a valid chain is provided in order leaf,intermediate,root certificate."

book

Article ID: 384010

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • V2T migration fails with error "HTTP Error: 400: Certificate chain validation failed. Make sure a valid chain is provided in order leaf,intermediate,root certificate."
  • Log files /var/log/migration-coordinator/migration-coordinator.log

Execution monitor service invoked to react to failure of node ConfigApplyL3ToL7 [Config migration failed [Reason: HTTP Error: 400: Certificate chain validation failed. Make sure a valid chain is provided in order leaf,intermediate,root certificate. for url: http://localhost:7440/nsxapi/api/v1/infra/certificates/certificate-##]]

 

Environment

VMware NSX-T datacenter

Cause

Certificate-##  mentioned in the error is a SSO related certificate that was fetched from the NSX-V side. The migration fails because it attempts to fetch SSO certificates. In older NSX-V versions, SSO certificates were not designated as system certificates, which leads the migration process to retrieve them. However, the migration fails since these certificates are sourced from vCenter (VC) and lack the private key on NSX-V.

Resolution

Workaround is to remove all the SSO certificates that were detected from NSX-V config.

Steps to remove the certificates from configuration.

1. Rollback the migration to the last good stage.
2. From the /var/log/migration-coordinator/v2t/nsxv-config directory run the below grep command to get the list of SSO certs.
# grep -Ril "CN=ssoserverSign"

3. Collect the certificate IDs from previous step and remove entries from encryptedTrustObject.trustObjects.trustObject from below locations :


 /var/log/migration-coordinator/v2t/nsxv-config/secret1/services.truststore.v2tmigration.certificate
 /var/log/migration-coordinator/v2t/nsxv-config/secrets/services.truststore.v2tmigration.certificate
 /var/log/migration-coordinator/v2t/nsxv-config/secret2/services.truststore.v2tmigration.certificate

4. Rerun the migration.