NSX Configuration in Edge or Host Transport Node is seen in Failed state after Certificate expiry
Article ID: 411692
Updated On:
Products
VMware NSX
Issue/Introduction
- The Edge or ESXI Host Transport Node is seen in a failed state as below:
- Manager and controller connectivity is not established even with reachability between the Transport Node and the Managers (for Edge nodes the reason may also be reported as OTHER_ERROR):
nsxcli -c get managersWed Sep 24 2025 UTC 03:05:44.948- 10.#.#.21 Standby (NSX-RPC)- 10.#.#.22 Standby (NSX-RPC)- 10.#.#.23 Standby (NSX-RPC) *nsxcli -c get controllersWed Sep 24 2025 UTC 03:05:55.941Controller IP Port SSL Status Is Physical Master Session State Controller FQDN Failure Reason10.#.#.23 1235 enabled disconnected true down NA NA10.#.#.22 1235 enabled not used false null NA NA10.#.#.21 1235 enabled not used false null NA NA - Messages similar to the following are seen in the ESX i var/run/log/nsx-syslog.log file
Wa(180) nsx-proxy[2101991]: NSX 21####1 - [nsx@6876 comp="nsx-esx" subcomp="nsx-proxy" s2comp="nsx-net" tid="2102015" level="WARNING"] Certificate validation: couldn't find SHA256 digest '####################################' in local trust storeEr(179) nsx-proxy[2101991]: NSX 21####1 - [nsx@6876 comp="nsx-esx" subcomp="nsx-proxy" s2comp="nsx-net" tid="2102015" level="ERROR" errorCode="NET1111"] Certificate validation failed: 18-self signed certificateIn(182) nsx-opsagent[2102367]: NSX 21###67 - [nsx@6876 comp="nsx-esx" subcomp="mpa-client" tid="21###30" level="INFO"] [AlarmsProvider] MsgHandler : Invalid stub for Master APHIn(182) nsx-opsagent[2102367]: NSX 21###67 - [nsx@6876 comp="nsx-esx" subcomp="mpa-client" tid="21###30" level="INFO"] [AlarmsProvider] SendRequest: Failed to send msg Master APH, Publish, type (com.vmware.nsx.monitoring.CollectorMpMsg), correlationId (), trackingIdStr (#######-####-####-3fa3-########a1e0), ret (-1) - Messages similar to the following are seen in the NSX Manager
/var/log/syslogfileManager01 NSX 99086 SYSTEM [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="manager"] getStub: client ########-####-####-####-############, application HealthCheck, java.util.concurrent.ExecutionException: java.util.concurrent.TimeoutException: Channel ClientChannel(vmware.nsx.healthcheck.HealthCheckHostService, ########-####-####-####-###########) is closed before stream was opened due to Status(code=UNKNOWN, msg=Closed by remote service)
2025-09-24T02:50:00.327Z Manager01 NSX 99086 MONITORING [nsx@6876 comp="nsx-manager" errorCode="MP150008" level="ERROR" subcomp="manager"] Error in sending requestMsg to transportNode:########-####-####-####-#############, requestId(roundId): left: #######################right: #####################, errInfo:Unable to reach client ########-####-####-####-###########, application HealthCheck
Environment
VMware NSX
Cause
Certificate Validation between the Transport Node and Managers failed due to Expired Certificates
Resolution
- Check the certificate host-cert.pem.
cd /etc/vmware/nsx/
Sample output:
lsappliance-info.xml host-cert.pem host-privkey.pem netopa.xml openssl-proxy.cnf
controller-info.xml host-cfg.xml mpa-txn nsx-proxy.xml - Copy the original file to backup
cp host-cert.pem host-cert.pem.bak
- Delete the original pem file.
rm host-cert.pem
- Restart proxy service - this should recreate the new
host-cert.pemfile.
/etc/init.d/nsx-proxy restart
- Verify the new pem file and check the validity
openssl x509 -startdate -enddate -noout -in /etc/vmware/nsx/host-cert.pem
- Do a manual resync of certificates using the commands below for all three manager nodes (OR refer work around in KB: 389595
push host-certificate <manager-IP-FQDN> username <username> thumbprint <cert-api-thumbprint-of-manager> password <password>
sync-aph-certificates <manager-IP-FQDN> username <username> thumbprint <cert-api-thumbprint-of-manager> password <password> - Check the Transport Nodes status in the NSX UI
Additional Information
Feedback
Yes
No
Powered by
