HCX Network Extension failed with error "PKIX path validation failed"
Article ID: 404608
Updated On:
Products
VMware HCX
Issue/Introduction
- HCX Network Extension task fails with the following error, observed in the /common/logs/admin/app.log:
<timestamp> UTC [NetworkStretchService_SvcThread-5357, j: cabacd21, , TxId: ########-####-####-####-#########] WARN c.v.v.h.n.i.AbstractJobInt- Exception in NetworkStretchJobs:ExtendNetworkWorkflowInt. Reason : PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
<timestamp> UTC [NetworkStretchService_SvcThread-5357, j: cabacd21, , TxId: ########-####-####-####-#########] ERROR c.v.v.h.n.i.NetworkStretchJobInt- Error encountered in Network Stretch job
com.vmware.vchs.hybridity.adapters.https.UntrustedCertificateException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed - In the HCX Manager UI - Administration - Activity Logs reports, you see the error:
PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
Cause
HCX could not successfully validate the SSL certificate presented by the NSX Manager during the TLS handshake.
The possible causes for this issue are the following:
- Certificate Expired:
The SSL certificate on the NSX Manager has expired. HCX checks the validity period (Not Before, Not After dates) of the certificate. - Untrusted Root Certificate Authority (CA):
The Root CA that issued the NSX Manager's certificate is not trusted by the HCX appliance. - Missing Intermediate Certificate:
The NSX certificate chain is not correctly formed, missing the intermediate certificate - Mismatch of Thumbprint:
The certificate thumbprint in HCX does not match the NSX Manager.
Resolution
- Check the validity dates of the NSX Manager's certificate. The CARR script can be used to review NSX certificates.
- Ensure that the NSX root CA is presented in
HCX Manager (9443) > Administration > Trusted CA Certificate. If it is not presented, you can import it by following the steps in Importing Trusted Certificates from a Remote Site - Verify that the NSX Manager's certificate chain is correctly configured and includes all required intermediate certificates.
- If the NSX Manager certificate has been renewed, it is required to authenticate the NSX Manager in the
HCX Manager (9443) > Dashboard > Click on Manager under NSX squareand enter the NSX credentials.
Additional Information
Feedback
Yes
No
Powered by
