Upgrade of EDGE Nodes failed, though the upgrade pre-checks were successful
search cancel

Upgrade of EDGE Nodes failed, though the upgrade pre-checks were successful

book

Article ID: 437810

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

NSX Edge nodes upgrade from 4.2.2.1 to version 4.2.3.3 fails during the download of the Node Upgrade Bundle (NUB). The Edge node is unable to establish a secure connection with the NSX Manager repository because of an SSL certificate verification failure: SSL: no alternative certificate subject name matches target host name 'FQDN of NSX manager'

The error is identified from syslog of NSX edge nodes during the curl-based download process:

YYYY-MM-DDTHH:MM:SS.487Z <Edge VM FQDN> NSX 1432 - [nsx@6876 comp="nsx-edge" subcomp="upgrade-agent" tid="1806" level="ERROR" errorCode="MPA50007"] Error downloading nub 'https://<NSX manager FQDN>/repository/4.2.3.3.0.25171318/Edge/nub/VMware-NSX-edge-4.2.3.3.0.25171324.nub', output msg: , error msg: * Trying (with httplib) <NSX manager FQDN>:443...#012* certificate verification ############################################################### from <NSX manager FQDN>:443 failed: SSL: no alternative certificate subject name matches target host name '<NSX manager FQDN>'#012* Closing connection 0#012curl_wrapper: (51) SSL: no alternative certificate subject name matches target host name '<NSX manager FQDN>'#012  
YYYY-MM-DDTHH:MM:SS.487Z <Edge VM FQDN> NSX 1432 - [nsx@6876 comp="nsx-edge" subcomp="upgrade-agent" tid="1806" level="ERROR" errorCode="MPA50006"] Error preparing upgrade

Environment

NSX 4.2.x

Cause

The root cause is a mismatch between the FQDN/IP used to access the NSX Manager and the identities configured in the NSX Manager’s REST API certificate.

This typically occurs when a CA-signed certificate was replaced but did not include the Cluster VIP, all Node FQDNs, or IPs in the SAN field.

 

Resolution

To resolve the SSL mismatch, you must ensure the certificate identities match the access URL.

Update CA-Signed Certificate: 

  1. Modify the CSR to include the NSX Manager Cluster VIP, all individual Manager Node FQDNs, and their respective IPs in the Subject Alternative Name (SAN) field.
  2. Re-import and apply the updated certificate to the NSX Manager nodes and VIP.

Use Self-Signed Certificate (Alternative):

If a CA certificate is not strictly required, generate a new self-signed certificate via the NSX UI (System > Certificates) that includes the correct FQDNs/IPs and apply it to the REST API.

DNS Validation:

Ensure that NSX manager FQDN resolves correctly to the expected VIP or Node IP. If the name resolves to an IP not in the certificate, the error will persist.

 

 

Additional Information

For more information, refer KB 400165 where similar issue was observed during NSX manager upgrades (Root cause is similar for NSX Edge upgrade failures)

 

Powered by Wolken Software