NSX onboarding fails on SSP with No valid license available banner message if NSX Certificate Chain Has Multiple Intermediates.
search cancel

NSX onboarding fails on SSP with No valid license available banner message if NSX Certificate Chain Has Multiple Intermediates.

book

Article ID: 419764

calendar_today

Updated On:

Products

VMware vDefend Firewall with Advanced Threat Prevention VMware vDefend Firewall

Issue/Introduction

  • You see site status NotReady on the SSP UI, System> NSX managers. 

  • Describing site shows this status
status:
    conditions:
    - lastTransitionTime: "2025-11-17T22:56:52Z"
      message: ""
      reason: CertificatesInSync
      status: "True"
      type: CertificatesInSync
    - lastTransitionTime: "2025-11-17T22:56:53Z"
      message: ""
      reason: ConnectionEstablished
      status: "True"
      type: ConnectionEstablished
    currentState: NotReady
    message: OnboardingInProgress
    nsxInfo:
      serviceNameRef: nsx-6d9a0717-f1b7-48cf-929e-87fd5982481c
kind: List
metadata:
  resourceVersion: ""
  • Onboarding will show that the site is connected, but you will not see any information about the site (e.g. version, cluster status, etc). 

  • If you offboard and onboard again by clicking reconnect on SSP UI, you see this error.



  • In the site-service logs, this error will be repeated:
2025-11-18T11:00:36.838Z ERROR Reconciler error {"request": {"name":"6d9a0717-f1b7-48cf-929e-87fd5982481c","namespace":"nsxi-platform"}, "reconcileID": "8ec503ee-4636-408b-8073-c4f835acd58e", "error": "subreconciler reconcileNsxData failed: failed to unregister UI
 plugins [intelligence malware_prevention platform ndr] due to error while executing API call to https://cluster-api/cluster-api/post-deployment/6d9a0717-f1b7-48cf-929e-87fd5982481c: {\"error_code\":500,\"error_message\":\"Delete \\\"https://nsx-6d9a0717-f1b7-48cf-929e-87fd598248
1c/policy/api/v1/ui-controller/remote-ui-plugins/pace-ui\\\": x509: certificate signed by unknown authority\",\"module_name\":\"cluster-api\"}"}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler
        external/io_k8s_sigs_controller_runtime/pkg/internal/controller/controller.go:341
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem
        external/io_k8s_sigs_controller_runtime/pkg/internal/controller/controller.go:288
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2
        external/io_k8s_sigs_controller_runtime/pkg/internal/controller/controller.go:249

Environment

Security Services Platform 5.1

Cause

This happens if the NSX Site's cluster certificate has multiple intermediates, some calls from SSP to NSX will fail authentication and onboarding will not complete successfully.

Resolution

Please contact Broadcom Technical Support for the workaround.

Note: This issue will be fixed in next release of SSP.

 

Attachments

cluster_api_image.tar get_app
patch-cluster-api.sh get_app
Powered by Wolken Software