• Upgrade stuck when upgrading manager nodes from 4.1.x to 4.2.x. Edges and hosts are upgraded successfully.
• The upgrade gets stuck on sequence 3, which is Node OS upgrade
• You see the certificate mismatch (error - unsuitable certificate) in the NSX manager logs:
  

  var/log/syslog: (Please note: environmental variables will result in the following error message not matching 100% to what we would see in other NSX deployments)

  2025-06-22T04:03:46.552Z <nsx-manager-node> NSX 1944 - [nsx@6876 comp="nsx-manager" subcomp="appl-proxy" s2comp="nsx-net" tid="2006" level="ERROR" errorCode="NET1111"] Certificate validation failed: 26-unsuitable certificate purpose#012Certificate:#012    Data:#012        Version: 3 (0x2)#012        Serial Number:#012            <certificate-serial-id>#012        Signature Algorithm: sha256WithRSAEncryption#012        Issuer: C=<country-name>; ST=<state-name>; L=<city-name>; O=<organization-name>; OU=<organization-unit-name>; CN=VMware-NSX-ApplProxyHub#012        Validity#012            Not Before: <cert-creation-date>#012            Not After : <cert-expiraion-date>#012        Subject: C=<country-name>; ST=<state-name>; L=<city-name>; O=<organization-name>; OU=<organization-unit-name>; CN=VMware-NSX-ApplProxyHub#012        Subject Public Key Info:#012            Public Key Algorithm: rsaEncryption#012                Public-Key: (2048 bit)#012                Modulus:#012

• When the APH cert from a manager node is pulled, only Server Auth is seen in the Key usage:
  
  root@nsx-manager-01:/etc/vmware/nsx-appl-proxy# openssl x509 -in appl-proxy-ar-cert.pem -text
Certificate:
      ...
      ...
      ...
        X509v3 extensions:
            X509v3 Extended Key Usage: critical
                 TLS Web Server Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Alternative Name: critical
                DNS:VMware-NSX-ApplProxyHub

VMware NSX 4.1.x

APH-TN certificate has a wrong Extended Key Usage value. It should have both Server and Client Authentication. The upgrade will fail if either one is missing as the connectivity gets broken between APH-APH (MP-MP).

APH-TN certificate should be replaced with a correct certificate which has both Server and Client Auth in Extended Key usage.

Following steps can be used to generate a new certificate and replace it:

1. Login to manager UI. Go to System > Certificates > Import > Certificate

    a. Name the certificate
    b. Disable Service Certificate toggle
    c. Include each node's UUID to the CN field to maintain the uniqueness
    d. Click on save

2. Obtain the certificate id for the newly imported certificate from UI. The ID field should have the UUID.

3. Run the below API with the certificate id and node-id of one of the NSX-manager nodes:

POST https://<nsx-mgr>/api/v1/trust-management/certificates/<cert-id>?action=apply_certificate&service_type=APH_TN&node_id=<node-id>

Once certificate is replaced on all nodes, upgrade can be resumed.