"ObjectIdentifier() -- data isn't an object ID (tag = 49)" during NSX upgrade pre-check
search cancel

"ObjectIdentifier() -- data isn't an object ID (tag = 49)" during NSX upgrade pre-check

book

Article ID: 421136

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

When attempting to upgrade NSX, the upgrade pre-check fails with the following error:

The certificate with ID ##########-####-####-####-########## failed validation: java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 49) Please delete or replace this certificate prior to upgrading. See KB article https://knowledge.broadcom.com/external/article?articleId=369034.

The certificate appears valid in the NSX Manager interface and doesn't expire for over a year. The certificate is issued by an internal Certificate Authority (CA) rather than being a self-signed certificate. Standard certificate validation using the API call GET https://<nsx-mgr>/api/v1/trust-management/certificates/<cert-id>?action=validate returns successful results.

Environment

VMware NSX

Cause

The certificate PEM encoding contains malformed data. When retrieving the certificate details via GET https://<nsx-mgr>/api/v1/trust-management/certificates/<cert-id> the "pem_encoded" field incorrectly includes a Certificate Signing Request (CSR) followed by extraneous text before the certificate chain:

"pem_encoded": "-----BEGIN CERTIFICATE REQUEST------
##########
-----END CERTIFICATE REQUEST------
BUNCH OF RANDOM TEXT
-----BEGIN CERTIFICATE-------
#########
-----END CERTIFICATE-------"

Valid certificate objects should only contain the certificate chain without CSR data or additional text. This malformation causes the Java certificate parser to fail when attempting to parse object identifiers during upgrade validation.

Resolution

Replace the malformed certificate by importing a new CA-signed certificate with the complete certificate chain and private key:

  1. Import the new certificate following the process at: https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-2/administration-guide/certificates/importing-certificates/import-a-certificate.html
  2. Apply the certificate to the API service using the following API call:

    POST /api/v1/trust-management/certificates/<cert-id>?action=apply_certificate&service_type=API&node_id=<node-id>
  1. Rerun the upgrade pre-checks to verify the error is resolved.

This issue is certificate-related and not specific to any NSX version. After replacing the certificate and applying it to the API service, the upgrade pre-checks should complete successfully.

Additional Information

Powered by Wolken Software