TKGI namespace Ingress secret not updated when NCP and NSX load balancer in use.
search cancel

TKGI namespace Ingress secret not updated when NCP and NSX load balancer in use.

book

Article ID: 433323

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

In a TKGI (Tanzu Kubernetes Grid Integrated) environment, updating a TLS secret in a Kubernetes namespace may fail to reflect the new certificate on the NSX Load Balancer. The Load Balancer may continue to serve the old certificate, or the service may become unavailable.

  • Updating the Kubernetes secret does not trigger a certificate change on the NSX Virtual Server.
  • NCP (NSX Container Plugin) logs report: Certificate chain validation failed. Make sure a valid chain is provided in order leaf,intermediate,root certificate.
  • NCP logs show a failure similiar to the below (/ncp/ncp.stdout.log)

    2026-03-10T14:37:46.735Z <UUID> NSX 70168 - [nsx@6876 comp="nsx-container-ncp" subcomp="ncp" level="WARNING"] vmware_nsxlib.v3.client The HTTP request returned error code 400, whereas 201/200 response codes were expected. Response body {'httpStatus': 'BAD_REQUEST', 'error_code': 2076, 'module_name': 'internal-framework', 'error_message': 'Certificate chain validation failed. Make sure a valid chain is provided in order leaf,intermediate,root certificate.'}
    2026-03-10T14:37:46.735Z <UUID> NSX 70168 - [nsx@6876 comp="nsx-container-ncp" subcomp="ncp" level="ERROR" errorCode="NCP00065"] nsx_ujo.ncp.nsx.policy.nsxapi import_cert failed, cause: Unexpected error from backend manager (['<NSX MANAGER NAME>']) for PATCH policy/api/v1/infra/certificates/lb_<LB UUID>: Certificate chain validation failed. Make sure a valid chain is provided in order leaf,intermediate,root certificate., args: (b'-----BEGIN CERTIFICATE-----\n<CERTIFICATE CONTENTS>[truncated]..., kwargs: {}
    2026-03-10T14:37:46.736Z <UUID> NSX 70168 - [nsx@6876 comp="nsx-container-ncp" subcomp="ncp" level="ERROR" errorCode="NCP05012"] nsx_ujo.ncp.k8s.ingress_lb_controller Ingress update workflow failed for ingress <Ingress ID>: Unexpected error from backend manager (['<Manager Name>']) for PATCH policy/api/v1/infra/certificates/lb_<LB UUID>: Certificate chain validation failed. Make sure a valid chain is provided in order leaf,intermediate,root certificate.

Environment

  • VMware NSX 

  • VMware TKGi

Cause

The certificate update fails because the new certificate bundle in the secret has an invalid chain order. NSX Manager will reject the certificate import. Since the import fails at the NSX Manager level, NCP cannot update the Load Balancer configuration.

Resolution

To resolve this issue, you must correct the order of the certificates within the TKGI namespace secret:

  1. Extract and Inspect: View the certificate bundle currently assigned to the secret.
  2. Reorder the PEM blocks: Ensure the certificates are concatenated in the following order:
    • Top: Leaf/Server Certificate
    • Middle: Intermediate Certificate(s)
    • Bottom: Root CA Certificate
  3. Update Secret: Apply the corrected certificate to the Kubernetes secret
  4. Check the NSX Manager UI or use curl -v on the domain to confirm the Load Balancer is now offering the correct certificate.
Powered by Wolken Software