NSX Manager upgrade pre-checks failed due to certificate parsing error
search cancel

NSX Manager upgrade pre-checks failed due to certificate parsing error

book

Article ID: 387955

calendar_today

Updated On:

Products

VMware NSX VMware NSX-T Data Center

Issue/Introduction

During the NSX Manager upgrade pre-checks, the Certificate Validity Checks failed with the following error message.

Checks if all the certificates are properly formatted, in order to avoid that during upgrade a newer JVM  rejects certificates which were accepted previously

The certificate with id <cert-id> failed to parse with error: signed overrun, bytes = <number of bytes>. Please delete (if unused) or replace this certificate prior to upgrading.

The certificate with id <cert-id> failed to parse with error: java.io.IOException: Illegal footer: -Type: 4,ENCRYPTED. Please delete (if unused) or replace this certificate prior to upgrading.

 

Environment

VMware NSX

VMware NSX-T Data Center

Cause

This can occur if there is an issue with the format of the certificate imported into NSX Manager.

Resolution

Steps to Retrieve and Verify Certificates:

  1. Run the API:

    GET https://<nsx-mgr>/api/v1/trust-management/certificates/

  2. Search for the Certificate: Locate the <cert-id> that failed to parse by the upgrade coordinator and verify that the format is correct.

  3. Verify the pem_encoded Field: Ensure that the pem_encoded field starts with the following format:

    -----BEGIN CERTIFICATE-----
<certificate contents>
-----END CERTIFICATE-----

  4. Intermediate and Root CA Certificates:

    -----BEGIN CERTIFICATE-----
<certificate contents for intermediate CA>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<certificate contents for Root CA>
-----END CERTIFICATE-----

  5. Check for Private Certificate: There should not be a private certificate listed in the pem_encoded field. If the pem_encoded field contains a private key or if the BEGIN CERTIFICATE line is missing dash characters, the certificate will need to be replaced with the correct format.

 

Workarounds:

  1. Generate a New Certificate: Create a new certificate with the correct format and apply it to the NSX Manager. Then, delete the incorrect certificate.

  2. Temporary Self-Signed Certificate: Alternatively, generate a temporary self-signed certificate to replace the incorrect one. Reimport the certificate with the correct format and apply it again.

 

For detailed instructions on importing a self-signed or CA-signed certificate and replacing NSX Manager certificates, please refer to the provided documentation.

https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-2/administration-guide/certificates/importing-certificates/import-a-certificate.html

https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-2/administration-guide/certificates/replacing-certificates.html

 

 

 

 

 

Powered by Wolken Software