Edge node config in Failed state due to certificate validation failed

Products

VMware NSX

Issue/Introduction

Edge node went into a problematic state as shown below after the certificate replacement in edge node.

You may see log entries similar to the following

2025-09-18T04:58:02.177Z nsx-mgr3.########.local NSX 1657 - [nsx@6876 comp="nsx-manager" subcomp="appl-proxy" s2comp="nsx-net" tid="1690" level="WARNING"] Certificate validation: couldn't find SHA256 digest '########2fde6e876fa91########f10a2bd03214660########191b76816e85' in local trust store
2025-09-18T04:58:02.178Z nsx-mgr3.########.local NSX 1657 - [nsx@6876 comp="nsx-manager" subcomp="appl-proxy" s2comp="nsx-net" tid="1690" level="ERROR" errorCode="NET1111"] Certificate validation failed: 18-self signed certificate .......

2025-09-18T04:58:02.178Z nsx-mgr3.########.local NSX 1657 - [nsx@6876 comp="nsx-manager" subcomp="appl-proxy" s2comp="nsx-net" tid="1690" level="ERROR" errorCode="NET4"] NetTransport[1] Accept on endpoint 'ssl://0.0.0.0:1234' failed with error 336105606-certificate verify failed

Use following commands to validate if the uniquely identifying ID is missing in host-cert.pem file in problematic edge node.

cd /etc/vmware/nsx/

openssl x509 -in host-cert.pem -text

Certificate:
Data:
Version: 1 (0x0)
Serial Number:
##:##:98:7f:##:##:##:##
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=California, L=Palo Alto, O=VMware, Inc., [email protected], CN=VMware-NSX-Host, UID=########-7639-####-9616-############ << the UUID part in Common name should be missing

Environment

VMware NSX 4.1

Cause

Host certificate validation is failing due to uniquely identifying ID is missing in Common Name in edge node certificate.

Resolution

Workaround:

Re-generate the host certificate with the host UUID in the common name and replace it. Then "push host certificate" needs to be executed to sync the certificate with manager.

Host Certificate generation and replacement -

1.Get the host UID from below file:

/etc/vmware/nsx/host-cfg.xml

2.Copy /etc/vmware/nsx/openssl-proxy.cnf to a tmp file

cp /etc/vmware/nsx/openssl-proxy.cnf /tmp/tmp-openssl-proxy.cnf

3. Append UID and following block at the end of /tmp/tmp-openssl-proxy.cnf

UID = ########-28e6-####-ba9f-0a00########
[ req_ext ]
basicConstraints = CA:FALSE
extendedKeyUsage = clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer

/tmp/tmp-openssl-proxy.cnf will looks like this:

root@ananyab-svc-nsxedge-ob-22224312-1-Edge:~# cat /tmp/tmp-openssl-proxy.cnf
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
#Don't encrypt the key
encrypt_key = no
prompt = no
string_mask = nombstr
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = California
localityName = Palo Alto
0.organizationName = VMware, Inc.
emailAddress = [email protected]
commonName = VMware-NSX-Host
UID = ########-28e6-####-ba9f-0a00########
[ req_ext ]
basicConstraints = CA:FALSE
extendedKeyUsage = clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer

4.Delete host private key and certificate file

rm -f /etc/vmware/nsx/host-privkey.pem

rm -f /etc/vmware/nsx/host-cert.pem

5. Generate and replace certificate using following command:

/opt/vmware/nsx-common/python/nsx_utils/make_cert.py openssl req -days 3650 -nodes -x509 -keyout /etc/vmware/nsx/host-privkey.pem -out /etc/vmware/nsx/host-cert.pem -config /tmp/tmp-openssl-proxy.cnf -extensions req_ext

6. Finally push host certificate to MP using following command from CLI

push host-certificate <Manager node IP> username admin thumbprint <Manager node thumbprint>

Connectivity with MP should restore when the certificate is pushed to MP.