Deploying a service vm ( SVM ) in NSX fails due to "Error creating agency for deployment unit ########-####-####-####-############. OVF certificate validation failed"
search cancel

Deploying a service vm ( SVM ) in NSX fails due to "Error creating agency for deployment unit ########-####-####-####-############. OVF certificate validation failed"

book

Article ID: 425349

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

When using Service Insertion in NSX, the deployment of a service vm (SVM) fails with the following error.

Error creating agency for deployment unit ########-####-####-####-############. OVF certificate validation failed. Error: [VALIDATION_ERROR: CERTIFICATE_EXPIRED; ]. Delete this deployment and create another one

 

In /var/log/syslog, in NSX Manager, you see the following error.

2026-01-12T09:35:52.396Z NSXMGR02 NSX 5897 FABRIC [nsx@6876 comp="nsx-manager" errorCode="MP26169" level="ERROR" reqId="12eb34a1-####-####-####-############" subcomp="manager" username="admin"] Issues in deployment unit DeploymentUnit/23cd45c5-####-####-####-############ having agency null. Issues: [Issue [errorMessage=Error creating agency for deployment unit 23cd45c5-####-####-####-############. OVF certificate validation failed. Error: [VALIDATION_ERROR: CERTIFICATE_EXPIRED; ]. Delete this deployment and create another one., linkedId=null, occurredAtTime=null, errorId=26134]]

 

This issue may be encountered any time a service VM (SVM) needs to be created.

Cause

The Signing Certificate used for signing the SVM OVF during the build process expired on January 3, 2026. As a result the new SVM deployment will fail.

Resolution

This is a known issue impacting VMware NSX.

To workaround this issue follow this procedure which involves disabling third party OVF validation on the NSX Manager.
Ensure an up to date backup is in place and the credentials and passphrase are known.
There is no impact to production when following this procedure.

Workaround persistence:

  • The setting is persistent across Manager reboots.
  • The setting is persistent after an NSX upgrade.
  • The setting will only be reset to default during a fresh manager install or a redeploy. The script will need to be run again in this case.
  1. Download the attached script at the bottom of the KB

    Script: disable_ovf_third_party_validation_flag.sh  (MD5 : 4c99318982da9f564fe031d44cc03965) 

  2. Copy the script to the "/tmp" directory of all the 3 NSX Managers
  3. Login as root user to the NSX Manager and execute the script on all 3 Managers

    bash /tmp/disable_ovf_third_party_validation_flag.sh

    If the script has executed successfully, the following will be outputted to screen:

    [INFO] Starting OVF validation flag update script
    [INFO] Timestamp: Thu Jan  1 19:15:49 UTC 2026
    [INFO] Flag updated successfully
    [INFO] ===================================================================
    [INFO] SUCCESS: Flag update completed successfully
    [INFO] ===================================================================
    [WARN] Please run this script on the remaining Manager node(s) in the cluster.

    If the script has failed, the following will be outputted to screen:

    [INFO] ===================================================================
    [INFO] FAILURE: Script execution failed
    [INFO] ===================================================================

     

  4. If the script has been successful, proceed with the deployment operation

It is acceptable to leave this workaround in place to avoid a repeat occurrence of the issue.
If it is preferred to revert the workaround, follow these steps. 

  1. Download the attached script at the bottom of the KB 

    1. Script: enable_ovf_third_party_validation_flag.sh  (MD5 : 30c18cf67aa866a8d5630399dcfede86)
  2. Copy the script to the "/tmp" directory of all the 3 NSX Managers
  3. Login as root user to the NSX Manager and execute the script on all 3 Managers

bash /tmp/enable_ovf_third_party_validation_flag.sh

If the script has executed successfully, the following will be outputted to screen:

[INFO] Starting OVF validation flag update script
[INFO] Timestamp: Thu Jan  1 19:15:49 UTC 2026
[INFO] Flag updated successfully
[INFO] ===================================================================
[INFO] SUCCESS: Flag update completed successfully
[INFO] ===================================================================
[WARN] Please run this script on the remaining Manager node(s) in the cluster.

If the script has failed, the following will be outputted to screen:

[INFO] ===================================================================
[INFO] FAILURE: Script execution failed
[INFO] ===================================================================

 

If the script has failed, either applying or reverting the workaround, capture the screen output, Manager logs and open a support case with Broadcom Support referring to this KB article. For more information, see Creating and managing Broadcom support cases.

Attachments

disable_ovf_third_party_validation_flag.sh get_app
enable_ovf_third_party_validation_flag.sh get_app
Powered by Wolken Software