Edge node MPA connectivity down due to transport node certificate expired
search cancel

Edge node MPA connectivity down due to transport node certificate expired

book

Article ID: 409760

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Edge nodes in unknown status with MPA connectivity down error
  • You may see log entries similar to the following

/var/log/syslog of manager node

2025-09-02T07:46:40.280Z nsx-mgr1.########.local NSX 1464 - [nsx@6876 comp="nsx-manager" errorCode="MP101" level="ERROR" subcomp="ccp"] Closing connection NettyConnection(NettyChannel(local=<MANAGER NODE IP ADDRESS>:1235, remote=<EDGE NODE IP>:58162), active=false) because of unhandled exception io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Certificate expired for UID=########-8985-####-b4be-############ ......

/var/log/syslog of edge node

2025-09-02T11:13:35.771Z nsx-edge1.########.local NSX 708971 - [nsx@6876 comp="nsx-edge" subcomp="nsx-proxy" s2comp="nsx-rpc" tid="708991" level="INFO"] ConnectionKeeper[4 ssl://<MANAGER NODE IP>:1234] attempting connection from timer callback
2025-09-02T11:13:35.787Z nsx-edge1.########.local NSX 708971 - [nsx@6876 comp="nsx-edge" subcomp="nsx-proxy" s2comp="nsx-net" tid="708991" level="WARNING"] StreamConnection[9996 Connecting to ssl://<MANAGER NODE IP:1234 sid:9996] Couldn't connect to 'ssl://<MANAGER NODE IP>:1234' (error: 335544539-short read)

  • Validate that host certificate in transport node shows expired using below commands

For example:

EdgeNode# openssl x509 -startdate -enddate -noout -in /etc/vmware/nsx/host-cert.pem

notBefore=Apr 25 07:28:11 2023 GMT
notAfter=Jul 28 07:28:11 2025 GMT <<<

Environment

VMware NSX

Cause

SSL negotiation failure in the control channel connection due to expired host certificate

Resolution

1.Check the certificate host-cert.pem.

#cd /etc/vmware/nsx/

#ls

Sample output:
appliance-info.xml   host-cert.pem  host-privkey.pem  netopa.xml     openssl-proxy.cnf
controller-info.xml  host-cfg.xml   mpa-txn           nsx-proxy.xml

2.Copy the original file to backup

cp host-cert.pem host-cert.pem.bak

3.Delete the original pem file.

#rm host-cert.pem

4. Restart proxy service - this should recreate new host-cert.pem file.

 # /etc/init.d/nsx-proxy restart

5.verify the new pem file and check the validity

Edge# openssl x509 -startdate -enddate -noout -in /etc/vmware/nsx/host-cert.pem

 

6. Do a manual resync of certificates using below commands for all three manager nodes (OR refer work around in KB: 389595)

push host-certificate <manager-IP-FQDN> username <username> thumbprint <cert-api-thumbprint-of-manager> password <password>
sync-aph-certificates <manager-IP-FQDN> username <username> thumbprint <cert-api-thumbprint-of-manager> password <password>

7. Check the edge node status in NSX

Note:

If you do not have access to CLI on the edge nodes, you would need to redeploy the edges affected to resolve this issue by following documentation below:

Redeploy an Edge VM Appliance

Additional Information

Note: If TN certificates have already expired and the 24 hour grace period has elapsed, TN's will be disconnected. At this point CARR can no longer be used to replace the TN certs. Refer: KB:369034

Powered by Wolken Software