NSX Manager Deployment Fails with "OVF certificate validation failed: certificate has expired"
Article ID: 408930
Updated On:
Products
Issue/Introduction
- An NSX cluster was operating in a degraded state with only two nodes, unable to successfully deploy the third required NSX Manager node. Attempts to deploy the third NSX Manager appliance failed, displaying the following error message: "Reason: OVF certificate validation failed. Error: Error while fetching ovf file. er: (60) certificate has expired"
- This issue prevents the expansion of the NSX Manager cluster to its desired or required number of nodes, leading to a degraded cluster state.
Environment
VMware NSX
Cause
The primary cause of the deployment failure has been an expired OVF certificate used by the existing NSX Manager nodes for deploying new appliances. Specifically, the Tomcat certificates (Service Type = API) and/or mp-cluster certificates (Service Type = MGMT_CLUSTER) have expired on the operational NSX Manager nodes.
Once these certificates have expired, NSX Manager’s ability to trigger deployment workflows for new Managers or Edges has been affected, resulting in the observed OVF certificate validation failure. This has been identified as expected product behavior.
Resolution
- Renew the Expired Certificate(s): Navigate to the NSX Manager UI under System > Certificates and check the status of certificates associated with the API and/or MGMT_CLUSTER service types. Renew the expired certificate(s) associated with the API and/or MGMT_CLUSTER service types on the existing NSX Manager nodes.
- Delete Failed Deployment: Delete any previously failed deployment attempts of the NSX Manager from your virtualization platform (e.g., vCenter).
- Redeploy NSX Manager: Initiate the deployment of the third NSX Manager node again.
Additional Information
Please refer to the KB to renew the certificates on the NSX manager:
Using Certificate Analyzer, Results and Recovery (CARR) Script to fix certificate related issues in NSX
Renew or replace the self-signed SSL certificates assigned to various components of NSX version 4.2 and later through the GUI interface Only.
Please refer to the list below for similar issues:
- NSX Manager node fails to deploy with error: Error while fetching ovf file. er: (60) certificate has expired
NSX Manager Deployment Fails with "OVF certificate validation failed: certificate has expired" - NSX Edge node fails to deploy with error: OVF certificate validation failed. Error: [VALIDATION_ERROR: CERTIFICATE_EXPIRED; ]
"OVF certificate validation failed. Error: [VALIDATION_ERROR: CERTIFICATE_EXPIRED; ]" error for NSX Edge Install/Redeploy/Resize - NSX Manager node fails to deploy with error: OVF certificate validation failed. Error: [VALIDATION_ERROR: CERTIFICATE_EXPIRED; ]
"OVF certificate validation failed. Error: [VALIDATION_ERROR: CERTIFICATE_EXPIRED; ]" error for NSX Manager deployment - NSX appliance deployment shows a warning: The Certificate is Expired or The Certificate is not trusted
"The OVF package contains advanced configuration options, which might pose a security risk" with "The Certificate is Expired" error for NSX Edge or Manager OVF deployment - NSX Service VM fails to deploy with error: OVF certificate validation failed
Deploying a service vm ( SVM ) in NSX fails due to "Error creating agency for deployment unit ########-####-####-####-############. OVF certificate validation failed"
Feedback
