SSP 5.0 UI page stuck in loading state

Products

VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

SSP 5.0 UI page stuck in loading state.

System time on control plane node found to be incorrect, behind the certificate’s validity start date.

Cluster services (including etcd) reject connections due to invalid time, preventing normal SSP operations.

etcd pod logs show repeated errors::

[level="warn" time="2025-09-12T07:26:47Z" caller="k8s/client.go:616" msg="rejected connection" remote-addr="172.X:X.X 3607" server-name="prod-k8s-app-ext" error="x509: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2025-09-12T07:26:47Z is before 2025-09-22T07:29:22Z"]
[info]: certificate has expired or is not yet valid: current time 2025-09-12T07:26:47Z is before 2025-09-22T07:29:22Z
[level="warn" time="2025-09-12T07:26:47Z" caller="k8s/client.go:616" msg="rejected connection" remote-addr="172.X:X.X :43607" server-name="prod-k8s-app-ext" error="x509: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2025-09-12T07:26:47Z is before 2025-09-22T07:29:22Z"]
[info]: certificate has expired or is not yet valid: current time 2025-09-12T07:26:47Z is before 2025-09-22T07:29:22Z
[level="warn" time="2025-09-12T07:26:47Z" caller="k8s/client.go:616" msg="rejected connection" remote-addr="172.X:X.X :43607" server-name="prod-k8s-app-ext" error="x509: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2025-09-12T07:26:47Z is before 2025-09-22T07:29:22Z"]
[info]: certificate has expired or is not yet valid: current time 2025-09-12T07:26:47Z is before 2025-09-22T07:29:22Z
[level="warn" time="2025-09-12T07:26:47Z" caller="k8s/client.go:616" msg="rejected connection" remote-addr="172.X:X.X :43607" server-name="prod-k8s-app-ext" error="x509: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2025-09-12T07:26:47Z is before 2025-09-22T07:29:22Z"]
[info]: certificate has expired or is not yet valid: current time 2025-09-12T07:26:47Z is before 2025-09-22T07:29:22Z
[level="warn" time="2025-09-12T07:26:47Z" caller="k8s/client.go:616" msg="rejected connection" remote-addr="172.X:X.X :43607" server-name="prod-k8s-app-ext" error="x509: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2025-09-12T07:26:47Z is before 2025-09-22T07:29:22Z"]
[root@prod-k8s-app-ext] # data
[root@prod-k8s-app-ext] # date
Thu Sep 12 07:26:57 UTC 2025

Steps to check etcd pod logs. SSH into the SSP Installer VM

1.Run below command to get the control plane node ID or IP.

kubectl get machines -A

3. Identify and SSH into the Control Plane Node.From that , get the control plane node IP or ID.

ssh capv@<node-IP>

Switch to root: sudo -i

4. Check etcd Pod

kubectl get pods -A | grep etcd

Note the etcd pod name from the output.

5. Review etcd Logs.Use the pod name obtained in the previous step:

kubectl logs <etcd-POD-NAME> -n kube-system

You might encounter an error like the following:

[level="warn" time="2025-09-12T07:26:47Z" caller="k8s/client.go:616" msg="rejected connection" remote-addr="172.X:X.X :43607" server-name="prod-xxx-xxx-x" error="x509: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2025-09-12T07:26:47Z is before 2025-09-22T07:29:22Z"]
[info]: certificate has expired or is not yet valid: current time 2025-09-12T07:26:47Z is before 2025-09-22T07:29:22Z

Compare the current system time. The above error indicates that the system clock is behind real time, causing certificate validation to fail.

Environment

SSP 5.0

Cause

The system clock is behind the certificate’s validity start time, which led to x509 certificate validation failures. This prevented etcd and other Kubernetes components from establishing secure communication, resulting in SSP login failure.

Resolution

Refer to the following Broadcom Knowledge Base articles to validate and fix NTP synchronization:

KB Article 403357 – NTP Time Sync Issues in vSphere/SSP

KB Article 403352 – How to Configure and Troubleshoot NTP