Upgrade is failing with pre-check Error "Error while checking exported config [...] Database error - Invalid reference SSLKeyAndCertificate"
Article ID: 404625
Updated On:
Products
Issue/Introduction
AVI Load Balancer upgrade pre-check is failing with "Error while checking exported config [...] Database error - Invalid reference SSLKeyAndCertificate"
Environment
- AVI Load Balancer Version: All Versions
Cause
Issue occurred due to stale certificate assigned under "syslog" configuration. SSL/TLS certificate referenced under syslog was removed forcefully without removing the certificate references.
Steps to verify:
From the "portal-webapp.log" upgrade pre-check is complaining about invalid certificate reference
2025-07-07T10:32:04.711Z E 4138769 executor/executor.go:120 Execution failed with result = Traceback (most recent call last):
File "/opt/avi/scripts/config_checker.py", line 191, in <module>
raise Exception('Database Error - Invalid Reference : %s' %all_missing_refs)
Exception: Database Error - Invalid Reference : {'SSLKeyAndCertificate': ['/api/sslkeyandcertificate/sslkeyandcertificate-######-######-#######-####']}
, error = exit status 1. Retry 1
2025-07-07T10:32:04.711Z E 4138769 checks/check_config_migration.go:44 [de8400d54fb0] Error while checking exported config, output: Traceback (most recent call last):
File "/opt/avi/scripts/config_checker.py", line 191, in <module>
raise Exception('Database Error - Invalid Reference : %s' %all_missing_refs)
Exception: Database Error - Invalid Reference : {'SSLKeyAndCertificate': ['/api/sslkeyandcertificate/sslkeyandcertificate-######-######-#######-####']}
, error: exit status 1Check whether the certificate is listed under SSL/TLS Certificates in the Avi Load Balancer UI.
Examine the Avi configuration (available in the avi_config file within debug logs or the exported configuration package) to confirm if the certificate is referenced anywhere in the setup.
In this case, the certificate was referenced under the Syslog configuration, but it was not present in the SSL/TLS Certificates list.
"AlertSyslogConfig": [
{
"configpb_attributes": {
"version": 1
},
"description": "syslog server",
"name": "########",
"syslog_servers": [
{
"anon_auth": false,
"format": "SYSLOG_RFC5424",
"pkiprofile_ref": "/api/pkiprofile/?tenant=admin&name=######",
"ssl_key_and_certificate_ref": "/api/sslkeyandcertificate/sslkeyandcertificate-####################",
"strict_cert_verify": false,
"syslog_server": "############",
"syslog_server_port": 1514,
"tls_enable": true,
"udp": false
}
],
"tenant_ref": "/api/tenant/?name=admin",
"url": "/api/alertsyslogconfig/alertsyslogconfig-####################",
"uuid": "alertsyslogconfig-####################"
}
],Resolution
To resolve the issue, either remove the certificate reference from the configuration or assign an existing, valid certificate from the SSL/TLS Certificates list.
Steps to remove the certificate reference:
Removal of certificate on syslog profile can be done using CLI only.
Step:1
Login in to controller shell
Step:2
[admin:xx-xx-xx-xxx]: > configure alertsyslogconfig <name>
[admin:xx-xx-xx-xxx]: alertsyslogconfig> syslog_servers index <number>
[admin:xx-xx-xx-xxx]: alertsyslogconfig:syslog_servers> no ssl_key_and_certificate_ref
[admin:xx-xx-xx-xxx]: alertsyslogconfig:syslog_servers> save
[admin:xx-xx-xx-xxx]: alertsyslogconfig> save
Steps to replace with new SSL certificate
Step:1
Login in to controller shell
Step:2
[admin:xx-xx-xx-xxx]: > configure alertsyslogconfig <name>
[admin:xx-xx-xx-xxx]: alertsyslogconfig> syslog_servers index <number>
[admin:xx-xx-xx-xxx]: alertsyslogconfig:syslog_servers> ssl_key_and_certificate_ref <new certificate name>
[admin:xx-xx-xx-xxx]: alertsyslogconfig:syslog_servers> save
[admin:xx-xx-xx-xxx]: alertsyslogconfig> saveFeedback
