Task failure during add workload domain due to expired NSX Certificate
Article ID: 410959
Updated On:
Products
Issue/Introduction
-
The task fails during the connection attempt with NSX Manager due to certificate validation errors.
-
In the SDDC Manager UI, the following task may fail with an error:
Sub Task: Add Workload Domain vCenter Server to Management Domain NSX Distributed Firewall Exclusion List
domainmanager.log
2025-09-19T03:54:43.344+0000 ERROR [vcf_dm,XXXXXX,c853] [c.v.e.s.o.model.error.ErrorFactory,XXXX] [XXXXX] UPDATE_NSX_FIREWALL_EXCLUSION_LIST_FAILED Unable to add VMs [XXXX] to firewall exclusion list for NSX Manager RemoteEndpoint(address=FQDN, port=0, username=User).com.vmware.evo.sddc.orchestrator.exceptions.OrchTaskException: Unable to add VMs [XXXX] to firewall exclusion list for NSX Manager RemoteEndpoint(address=FQDN, port=0, username=User). at com.vmware.vcf.common.fsm.plugins.nsxt.action.UpdateNsxtFirewallExclusionListAction.execute(UpdateNsxtFirewallExclusionListAction.java:57) at com.vmware.vcf.common.fsm.plugins.nsxt.action.UpdateNsxtFirewallExclusionListAction.execute(UpdateNsxtFirewallExclusionListAction.java:21) at com.vmware.evo.sddc.orchestrator.platform.action.FsmActionState.invoke(FsmActionState.java:62) at com.vmware.evo.sddc.orchestrator.platform.action.FsmActionPlugin.invoke(FsmActionPlugin.java:159) at com.vmware.evo.sddc.orchestrator.platform.action.FsmActionPlugin.invoke(FsmActionPlugin.java:144) at com.vmware.evo.sddc.orchestrator.core.ProcessingTaskSubscriber.invokeMethod(ProcessingTaskSubscriber.java:400) at com.vmware.evo.sddc.orchestrator.core.ProcessingTaskSubscriber.processTask(ProcessingTaskSubscriber.java:520) at com.vmware.evo.sddc.orchestrator.core.ProcessingTaskSubscriber.accept(ProcessingTaskSubscriber.java:124) at jdk.internal.reflect.GeneratedMethodAccessor667.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:569) at com.google.common.eventbus.Subscriber.invokeSubscriberMethod(Subscriber.java:85) at com.google.common.eventbus.Subscriber.lambda$dispatchEvent$0(Subscriber.java:71) at com.vmware.vcf.common.tracing.TraceRunnable.run(TraceRunnable.java:59) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) at java.base/java.lang.Thread.run(Thread.java:840)Caused by: com.vmware.vapi.client.exception.SslException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed...Caused by: java.security.cert.CertificateExpiredException: NotAfter: Mon Month Day HH:MM:SS UTC YYYY at java.base/sun.security.x509.CertificateValidity.valid(CertificateValidity.java:277) at java.base/sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:621) at java.base/sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190) at java.base/sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144) at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) ... 64 common frames omitted
Environment
VMware SDDC Manager
Cause
The root cause is the expiration of the NSX Manager SSL certificate, which leads to a failure in certificate validation during communication attempts.
Resolution
Renew the NSX Manager certificate and then retry the task.
The issue should be resolved once the certificate has been updated on the NSX side.
For details on how to renew the NSX certificates, please refer to the following documentation:
Scripted process to Replace Expired or Self-signed VMware NSX-T Manager Certificates with VMCA-Signed Certificates
Feedback
