"OVF certificate validation failed. Error: [VALIDATION_ERROR: CERTIFICATE_EXPIRED; ]" error for NSX Edge Install/Redeploy/Resize
Article ID: 424034
Updated On:
Products
Issue/Introduction
In the NSX UI, an NSX Edge Deployment fails with:OVF certificate validation failed. Error: [VALIDATION_ERROR: CERTIFICATE_EXPIRED; ]
- Edge status via API
GET https://NSX_Manager/api/v1/transport-nodes/{{tn-id}}/state{"transport_node_id": "<UUID>","maintenance_mode_state": "DISABLED","node_deployment_state": {"state": "VM_DEPLOYMENT_FAILED","failure_message": "OVF certificate validation failed. Error: [VALIDATION_ERROR: CERTIFICATE_EXPIRED; ]","failure_code": 16020},"state": "pending"} - In the NSX Manager log
/var/log/proton/nsxapi.logan error is seen similar to this example
2026-01-30T05:40:23.405Z ERROR ActivityWorkerPool-1-3 SfdmOvfCertificateValidator 77630 FABRIC [nsx@6876 comp="nsx-manager" errorCode="MP31703" level="ERROR" subcomp="manager"] untrusted_certificate. Error : [VALIDATION_ERROR: CERTIFICATE_EXPIRED; ]
2026-01-30T05:40:23.405Z ERROR ActivityWorkerPool-1-3 DeploymentUnitActivityVMDeploy 77630 FABRIC [nsx@6876 comp="nsx-manager" errorCode="MP26050" level="ERROR" subcomp="manager"] VM Deployment having du id:DeploymentUnit/<UUID> and dui id:DeploymentUnitInstance/<UUID> failed for /infra/sites/default/enforcement-points/default/edge-transport-node/<Edge UUID>.com.vmware.nsx.management.ovfops.exception.CertificateManifestValidationError: null id=DeploymentUnitInstance/<UUID>, deploymentUnitId=DeploymentUnit/<UUID>, hostId=null, entityId=, prevEntityId=, runningVersion=<NSX-Version>, deploymentProgressState=DEPLOYMENT_FAILED, deploymentGoalState=ENABLED, internalLastKnownOSVersion=null, agentId=null, errorId=0, errorMessage=OVF certificate validation failed. Error: [VALIDATION_ERROR: CERTIFICATE_EXPIRED; ], scxInstalled=false] to DEPLOYMENT_FAILED:OVF certificate validation failed. Error: [VALIDATION_ERROR: CERTIFICATE_EXPIRED; ]
In the SDDC Manager UI, NSX Edge Deployment/NSX Edge Expansion fails with:
Description: Deploy NSX Edge Node VMProgress Messages: Failed to deploy NSX Edge ####### on ######.#####.#####Failed to undo NSX Edge ######.#####.##### deployment on ######.#####.#####ErrorMessage: Failed to deploy NSX Edge ####### on ######.#####.#####Remediation Message:Cause: Edge node ###### creation failed, node state is pending, VM deployment state is VM_DEPLOYMENT_FAILED- In the SDDC Manager UI, the following error is found in domainmanager.log
/var/log/vmware/vcf/domainmanager/domainmanager.log======================================================================================####-##-##T##:##:##.###+#### DEBUG [vcf_dm,################################,24ac] [c.v.v.c.f.p.n.a.CreateNsxtEdgeNodeVmAction,dm-exec-6]Node state = pending, deployment state = {"failureCode":16020,"failureMessage":"OVF certificate validation failed. Error: [VALIDATION_ERROR: CERTIFICATE_EXPIRED; ]","state":"*****","__dynamicStructureFields":{"fields":{},"name":"struct"}}, depl progress = /%, inProgress =false####-##-##T##:##:##.###+#### DEBUG [vcf_dm,################################,24ac] [c.v.v.c.f.p.n.h.NsxtCommonOperations,dm-exec-6] Finished waiting for Edge node <edge-hostname> to become ready, currentState is {"state":"pending","maintenanceModeState":"DISABLED","nodeDeploymentState":{"failureCode":16020,"failureMessage":"OVF certificate validation failed. Error: [VALIDATION_ERROR: CERTIFICATE_EXPIRED; ]","state":"*****","__dynamicStructureFields":{"fields":{},"name":"struct"}},"transportNodeId":"########-####-####-####-############","__dynamicStructureFields":{"fields":{},"name":"struct"}}
NSX Edge 9.x deployment via vSphere UI fails with:
Environment
VMware NSX Edge 3.x, 4.x & 9.x
VMware Cloud Foundation 4.5.x, 5.x, and 9.0.x
Cause
The signing certificate used for signing the Edge OVF during the build process expired on January 3rd, 2026. As a result any new Edge install or existing Edge redeploy/resize workflows using the NSX UI/API will fail.
Resolution
This is a known issue impacting VMware NSX.
To workaround this issue follow this procedure which involves disabling OVF validation on the NSX Manager.
Ensure an up to date backup is in place and the credentials and passphrase are known.
There is no impact to production when following this procedure.
Workaround persistence:
- The setting is persistent across Manager reboots.
- The setting is persistent after an NSX upgrade.
- The setting will only be reset to default during a fresh manager install or a redeploy. The script will need to be run again in this case.
- Download the attached script at the bottom of the KB
Script: disable_ovf_validation_flag.sh (MD5 : 9e44c678a035bedd42f53a15626b3919)
2. Copy the script to the "/tmp" directory of all the 3 NSX Managers
3. Login as root user to the NSX Manager and execute the script on all 3 Managers bash /tmp/disable_ovf_validation_flag.sh
If the script has executed successfully, the following will be outputted to screen:[INFO] Starting OVF validation flag update script[INFO] Timestamp: Thu Jan 1 19:15:49 UTC 2026[INFO] Flag updated successfully[INFO] ===================================================================[INFO] SUCCESS: Flag update completed successfully[INFO] ===================================================================[WARN] Please run this script on the remaining Manager node(s) in the cluster.
If the script has failed, the following will be outputted to screen:[INFO] ===================================================================[INFO] FAILURE: Script execution failed[INFO] ===================================================================
4. If the script has been successful, proceed with the deployment operation
-
- If this is a new Edge deployment failure, delete the Edge before trying the deployment again.
- If this is a failed redeployment of an existing Edge, retry the redeployment.
5. The Edge installation or redeployment will include the following log confirming that the workaround to skip certificate validation has been applied:
In the NSX Manager log file /var/log/proton/nsxapi.log a message similar to this example will be observed
2026-01-30T06:25:11.964Z INFO ActivityWorkerPool-1-14 SfdmOvfCertificateValidator 77630 FABRIC [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Skipping ovf certificate/manifest validation for [<Edge-name>].
It is acceptable to leave this workaround in place to avoid a repeat occurrence of the issue.
If it is preferred to revert the workaround, follow these steps.
- Download the attached script at the bottom of the KB
Script: enable_ovf_validation_flag.sh (MD5 : 4e0c130f7c4aeae8b825c17735678836)
2. Copy the script to the "/tmp" directory of all the 3 NSX Managers
3. Login as root user to the NSX Manager and execute the script on all 3 Managers
bash /tmp/enable_ovf_validation_flag.sh
If the script has executed successfully, the following will be outputted to screen:
[INFO] Starting OVF validation flag update script[INFO] Timestamp: Thu Jan 1 19:15:49 UTC 2026[INFO] Flag updated successfully[INFO] ===================================================================[INFO] SUCCESS: Flag update completed successfully[INFO] ===================================================================[WARN] Please run this script on the remaining Manager node(s) in the cluster.
If the script has failed, the following will be outputted to screen:[INFO] ===================================================================[INFO] FAILURE: Script execution failed[INFO] ===================================================================
If the script has failed, either applying or reverting the workaround, capture the screen output, Manager logs and open a support case with Broadcom Support referring to this KB article. For more information, see Creating and managing Broadcom support cases.
Additional Information
For NSX Manager related deployment issue, see "OVF certificate validation failed. Error: [VALIDATION_ERROR: CERTIFICATE_EXPIRED; ]" error for NSX Manager deployment.
Attachments
Feedback
