"OVF certificate validation failed. Error: [VALIDATION_ERROR: CERTIFICATE_EXPIRED; ]" error for NSX Manager deployment
search cancel

"OVF certificate validation failed. Error: [VALIDATION_ERROR: CERTIFICATE_EXPIRED; ]" error for NSX Manager deployment

book

Article ID: 424035

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • On the NSX UI, an NSX Manager Deployment fails with

OVF certificate validation failed. Error: [VALIDATION_ERROR: CERTIFICATE_EXPIRED; ]

  • On NSX 3.x, the UI may display "Some error has occurred" instead of "OVF certificate validation failed"
  • In the NSX Manager log /var/log/proton/nsxapi.log an error is seen similar to this example

2026-01-10T14:34:19.982Z ERROR ActivityWorkerPool-1-2 SfdmOvfCertificateValidator 8278 FABRIC [nsx@6876 comp="nsx-manager" errorCode="MP31703" level="ERROR" subcomp="manager"] untrusted_certificate. Error : [VALIDATION_ERROR: CERTIFICATE_EXPIRED; ]
2026-01-10T14:34:19.983Z ERROR ActivityWorkerPool-1-2 DeploymentUnitActivityVMDeploy 8278 FABRIC [nsx@6876 comp="nsx-manager" errorCode="MP26050" level="ERROR" subcomp="manager"] VM Deployment having du id:DeploymentUnit/<UUID> and dui id:DeploymentUnitInstance/<UUID> failed for <UUID>.
com.vmware.nsx.management.ovfops.exception.CertificateManifestValidationError: null
        at com.vmware.nsx.management.service_fabric.sfdm.ovf.SfdmOvfCertificateValidator.validateCertificateChain(SfdmOvfCertificateValidator.java:125) ~[?:?]
        at com.vmware.nsx.management.ovfops.validator.service.OvfCertificateValidator.validateCertificateContent(OvfCertificateValidator.java:68) ~[?:?]
        at com.vmware.nsx.management.service_fabric.sfdm.ovf.SfdmOvfCertificateValidator.validateCertificateContent(SfdmOvfCertificateValidator.java:58) ~[?:?]
        at com.vmware.nsx.management.ovfops.validator.service.OvfCertificateValidator.validateOvf(OvfCertificateValidator.java:79) ~[?:?]
        at com.vmware.nsx.management.service_fabric.sfdm.ovf.SfdmOvfCertificateValidator.validateOvf(SfdmOvfCertificateValidator.java:71) ~[?:?]
        at com.vmware.nsx.management.service_fabric.sfdm.vc.Vc60VmSfdmManager.validate(Vc60VmSfdmManager.java:72) ~[?:?]
        at com.vmware.nsx.management.service_fabric.sfm.deployment.service.DeploymentUnitActivityVMDeploy.phasePreVMDeploy(DeploymentUnitActivityVMDeploy.java:192) ~[?:?]
2026-01-10T14:34:20.002Z  INFO ActivityWorkerPool-1-3 ActivityExecutor 8278 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Phase execution started. Activity= Activity= 'DeploymentUnitActivityVMDeploy:<UUID>' entity= 'DeploymentUnitInstance/<UUID>', phase= 'Error', requestId= 'null', trackerId= 'null'.

  • This issue may be encountered for scenarios that involve an NSX Manager OVF deployment, this includes greenfield, resizing the Manager appliance or restore from backup etc.
  • This issue impacts Local and Global Managers

Environment

VMware NSX 3.x, 4.0.x.

Cause

The signing certificate used for signing NSX Manager (Unified Appliance) OVF during the build process expired on January 3, 2026. As a result the new NSX Manager (Unified Appliance) deployment workflows using NSX UI/API will fail.

Resolution

This issue is resolved in VMware NSX 4.1.x available at Broadcom downloads.

To workaround this issue follow this procedure which involves disabling OVF validation on the NSX Manager.
Ensure an up to date backup is in place and the credentials and passphrase are known.
There is no impact to production when following this procedure.

Workaround persistence:

  • The setting is persistent across Manager reboots.
  • The setting is persistent after an NSX upgrade.
  • The setting will only be reset to default during a fresh manager install or a redeploy. The script will need to be run again in this case.
  1. Download the attached script at the bottom of the KB 

           Script: disable_ovf_validation_flag.sh  (MD5 : 9e44c678a035bedd42f53a15626b3919) 

     2. Copy the script to the "/tmp" directory of all the 3 NSX Managers

     3. Login as root user to the NSX Manager and execute the script on all 3 Managers

     bash /tmp/disable_ovf_validation_flag.sh

If the script has executed successfully, the following will be outputted to screen:

[INFO] Starting OVF validation flag update script
[INFO] Timestamp: Thu Jan  1 19:15:49 UTC 2026
[INFO] Flag updated successfully
[INFO] ===================================================================
[INFO] SUCCESS: Flag update completed successfully
[INFO] ===================================================================
[WARN] Please run this script on the remaining Manager node(s) in the cluster.

If the script has failed, the following will be outputted to screen:

[INFO] ===================================================================
[INFO] FAILURE: Script execution failed
[INFO] ===================================================================

    4. If the script has been successful, proceed with the deployment operation

    5. The Manager deployment will include the following log confirming that the workaround to skip certificate validation has been applied:

In the NSX Manager log file /var/log/proton/nsxapi.log a message similar to this example will be observed

2026-01-30T06:25:11.964Z  INFO ActivityWorkerPool-1-14 SfdmOvfCertificateValidator 77630 FABRIC [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Skipping ovf certificate/manifest validation for [<Manager-name>].


It is acceptable to leave this workaround in place to avoid a repeat occurrence of the issue.

If it is preferred to revert the workaround, follow these steps. 

  1. Download the attached script at the bottom of the KB 

           Script: enable_ovf_validation_flag.sh  (MD5 : 4e0c130f7c4aeae8b825c17735678836) 

     2. Copy the script to the "/tmp" directory of all the 3 NSX Managers

     3. Login as root user to the NSX Manager and execute the script on all 3 Managers

          bash /tmp/enable_ovf_validation_flag.sh

        If the script has executed successfully, the following will be outputted to screen:

[INFO] Starting OVF validation flag update script
[INFO] Timestamp: Thu Jan  1 19:15:49 UTC 2026
[INFO] Flag updated successfully
[INFO] ===================================================================
[INFO] SUCCESS: Flag update completed successfully
[INFO] ===================================================================
[WARN] Please run this script on the remaining Manager node(s) in the cluster.


If the script has failed, the following will be outputted to screen:

[INFO] ===================================================================
[INFO] FAILURE: Script execution failed
[INFO] ===================================================================


If the script has failed, either applying or reverting the workaround, capture the screen output, Manager logs and open a support case with Broadcom Support referring to this KB article. For more information, see Creating and managing Broadcom support cases.

Additional Information

For NSX Edge related deployment issue, see "OVF certificate validation failed. Error: [VALIDATION_ERROR: CERTIFICATE_EXPIRED; ]" error for NSX Edge Install/Redeploy/Resize.

 

Attachments

enable_ovf_validation_flag.sh get_app
disable_ovf_validation_flag.sh get_app
Powered by Wolken Software