• You will see the following messages on System > Upgrade > Check Upgrade Readiness:

• In /var/log/upgrade-coordinator/upgrade-coordinator.log you will see the following messages:

  2025-03-13T13:18:50.998Z <NSX-FQDN/IP> NSX 3081738 SYSTEM [nsx@6876 comp="nsx-manager" errorCode="MP30956" level="ERROR"subcomp="upgrade-coordinator"] Failed to execute check Check if MP nodes are configured with valid FQDN
  2025-03-13T13:18:50.998Z <NSX-FQDN/IP> NSX 3081738 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="upgrade-coordinator"] Executing cleanUp for check Check if MP nodes are configured with valid FQDN 2025-03-13T13:18:50.999Z <NSX-FQDN/IP> NSX 3081738 SYSTEM [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="upgrade-coordinator"] [PUC] Pre-upgrade check InspectionTaskInfo[acknowledgement=false,componentType=MP,description=This precheck warns user to configure MP nodes with valid fqdn,id=validFqdnCheck,name=Check if MP nodes are configured with valid FQDN,needsAcknowledgement=false,needs Resolution=false,resolution=false,resolutionError=<null>] failed with result BasicInspectionTaskResult{status=FAILURE, taskInfo=InspectionTaskInfo[acknowledgement=false,componentType=MP,description=This precheck warns user to configure MP nodes with valid fqdn,id=validFqdnCheck,name=Check if MP nodes are configured with valid FQDN,needsAcknowledgement=false,needsResolution=false,resolution=false,resolutionError=<null>], failureMessages=null, failures=[{"moduleName":"upgrade-coordinator","errorCode":30956,"errorMessage":"Failed to execute Check if MP nodes are configured with valid FQDN. [UC] Error in rest call. url=/nsxapi/api/v1/trust-management/certificates , method= GET , response= {#012  "httpStatus" : "BAD_REQUEST",#012  "error_code" : 2060,#012  "module_name" : "internal-framework",#012  "error_message" : "Certificate was revoked: [InternalIpSecVpnTunnelProfile, LbRule, InternalGroup, StaticHopBfdPeer, ArpTableConfig, InternalSwitchSecuritySwitchingProfile, LoadBalancerSslProfile, StaticRoute, LogicalSwitch, LogicalRouter, NatRule, IpfixDfwConfig, FirewallSection, InternalRouteMapConfig, RelayProfile, IpSecVpnSessionConfig, InternalIpSecVpnDpdProfile, InternalQosSwitchingProfile, BgpNeighbor, LoadBalancerPersistenceProfile, InternalIpv6NdraProfileConfig, InternalIpDiscoverySwitchingProfile, TransportNodeProfile, LrPort, L2VpnServiceConfig, PolicyTransportZone, HostTransportNode, LoadBalancerPool]."#012} , error= 400 : "{<EOL>  "httpStatus" : "BAD_REQUEST",<EOL>  "error_code" : 2060,<EOL>  "module_name" : "internal-framework",<EOL>  "error_message" : "Certificate was revoked: [InternalIpSecVpnTunnelProfile, LbRule, InternalGroup,
  StaticHopBfdPeer, ArpTableConfig, InternalSwitchSecuritySwitchingProfile, LoadBalancerSslProfile, StaticRoute, LogicalSwitch, LogicalRouter, NatRule, IpfixDfwConfig, FirewallSection, InternalRouteMapConfig, RelayProfile, IpSecVpnSessionConfig, InternalIpSecVpnDpdProfile, InternalQosSwitchingProfile, BgpNeighbor, LoadBalancerPersistenceProfile, InternalIpv6NdraProfileConfig, InternalIpDiscoverySwitchingProfile, TransportNodeProfile, LrPort, L2VpnServiceConfig, PolicyTransportZone, HostTransportNode, LoadBalancerPool]."<EOL>}" ."}]}
  2025-03-13T13:18:50.999Z <NSX-FQDN/IP> NSX 3081738 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="upgrade-coordinator"] [PUC] Finish Check if MP nodes are configured with valid FQDN on component MP. Result -- BasicInspectionTaskResult{status=FAILURE, taskInfo=InspectionTaskInfo[acknowledgement=false,componentType=MP,description=This precheck warns user to configure MP nodes with valid fqdn,id=validFqdnCheck,name=Check if MP nodes are configured with valid FQDN,needsAcknowledgement=false,needsResolution=false,resolution=false,resolutionError=<null>], failureMessages=null, failures=[{"moduleName":"upgrade-coordinator","errorCode":30956,"errorMessage":"Failed to execute Check if MP nodes are configured with valid FQDN. [UC] Error in rest call. url= /nsxapi/api/v1/trust-management/certificates , method= GET , response= {#012  "httpStatus" : "BAD_REQUEST",#012  "error_code" : 2060,#012  "module_name" : "internal-framework",#012  "error_message" : "Certificate was revoked: [InternalIpSecVpnTunnelProfile, LbRule, InternalGroup, StaticHopBfdPeer, ArpTableConfig, InternalSwitchSecuritySwitchingProfile, LoadBalancerSslProfile, StaticRoute, LogicalSwitch, LogicalRouter, NatRule, IpfixDfwConfig, FirewallSection, InternalRouteMapConfig, RelayProfile, IpSecVpnSessionConfig, InternalIpSecVpnDpdProfile, InternalQosSwitchingProfile, BgpNeighbor, LoadBalancerPersistenceProfile, InternalIpv6NdraProfileConfig, InternalIpDiscoverySwitchingProfile, TransportNodeProfile, LrPort, L2VpnServiceConfig, PolicyTransportZone, HostTransportNode, LoadBalancerPool]."#012} , error= 400 : "{<EOL>  "httpStatus" : "BAD_REQUEST",<EOL>  "error_code" : 2060,<EOL>  "module_name" : "internal-framework",<EOL>  "error_message" : "Certificate was revoked: [InternalIpSecVpnTunnelProfile, LbRule, InternalGroup, StaticHopBfdPeer, ArpTableConfig, InternalSwitchSecuritySwitchingProfile, LoadBalancerSslProfile, StaticRoute, LogicalSwitch, LogicalRouter, NatRule, IpfixDfwConfig, FirewallSection, InternalRouteMapConfig, RelayProfile, IpSecVpnSessionConfig, InternalIpSecVpnDpdProfile, InternalQosSwitchingProfile, BgpNeighbor, LoadBalancerPersistenceProfile, InternalIpv6NdraProfileConfig, InternalIpDiscoverySwitchingProfile, TransportNodeProfile, LrPort, L2VpnServiceConfig, PolicyTransportZone, HostTransportNode, LoadBalancerPool]."<EOL>}" ."}]}

   

• NSX Manager uses a custom certificate.

The custom certificate applied to the NSX Manager services may be revoked hence the NSX pre-checks fail.

Replace the custom certificate with a self-signed or a new valid custom certificate and reboot the NSX Manager nodes. After that re-run the precheck