VCF_Upgrade_NSX - Stopping Point-NSX-T Upgrade Fails in the Beginning

Error:
"Retrieving update detail failed. VCF services are not available. Unable to retrieve aggregated upgrade details: Cannot read properties of undefined (reading 'nsxt-mgmt.local:vcenter.local:domain-c7')"

In the SDDC Manager UI, the upgrade fails with:

• Upgrade element resourceType: NSX_T_PARALLEL_CLUSTER resourceId: nsxt-mgr.local:_ParallelClusterUpgradeElement status changed to COMPLETED_WITH_FAILURE

• 9/3/25, 2:38 PM Upgrade element resourceType: NSX_T_HOSTCLUSTER resourceId: nsxt-mgmt.local:vcenter-mgmt.local:domain-c9 status changed to SKIPPED

2025-09-03T11:38:43.532+0000 INFO  [vcf_lcm,0000000000000000,0000,upgradeId=0d7315ba-b55a-44f5-97af-e830e5ee351c,resourceType=NSX_T_PARALLEL_CLUSTER,resourceId=nsxt-mgmt.local:_ParallelClusterUpgradeElement,bundleElementId=d047696f-0b52-4fa7-8897-5a085bfd4c2b] [o.a.h.c.h.i.c.HttpRequestRetryExec,Upgrade-1] Recoverable I/O exception (javax.net.ssl.SSLHandshakeException) caught when processing request to {s}->https://vxrail-mgr.local:443

2025-09-03T11:38:43.562+0000 ERROR [vcf_lcm,0000000000000000,0000,upgradeId=0d7315ba-b55a-44f5-97af-e830e5ee351c,resourceType=NSX_T_PARALLEL_CLUSTER,resourceId=nsxt-mgmt.local:_ParallelClusterUpgradeElement,bundleElementId=d047696f-0b52-4fa7-8897-5a085bfd4c2b] [c.v.e.s.l.p.impl.vxm.VxManagerClient,Upgrade-1] General exception in executeVxManagerHttpRequest PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

2025-09-03T11:38:43.562+0000 ERROR [vcf_lcm,0000000000000000,0000,upgradeId=0d7315ba-b55a-44f5-97af-e830e5ee351c,resourceType=NSX_T_PARALLEL_CLUSTER,resourceId=nsxt-mgmt.local:_ParallelClusterUpgradeElement,bundleElementId=d047696f-0b52-4fa7-8897-5a085bfd4c2b] [c.v.e.s.l.p.i.nsxt.NsxtUpgradeUtil,Upgrade-1] Unhandled exception during NSX component upgrade:

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

Key Error:

javax.net.ssl.SSLHandshakeException: PKIX path building failed:

sun.security.provider.certpath.SunCertPathBuilderException:

unable to find valid certification path to requested target

• This indicates that the VCF Lifecycle Manager (LCM) is attempting to communicate with VxRail Manager at https://vxrail-mgr.local:443, but the SSL handshake is failing due to an untrusted or missing certificate in the Java truststore.

The VCF Lifecycle Manager (LCM) attempts to communicate with VxRail Manager at: https://vxrail-mgr.local:443

However, the SSL handshake fails because the certificate presented by VxRail Manager is either:

• Self-signed

• Missing from the Java truststore used by VCF

As a result, the upgrade process cannot proceed due to a lack of trust in the certificate chain.

Follow these steps to resolve the issue:

From the SDDC manager, run the following command:

echo | openssl s_client -connect vxrail-mgr.local:443 -showcerts

• Copy the entire certificate chain (everything between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----)
• Save it to a file, for example, /tmp/vxrail.crt

Follow the instructions in the Broadcom Knowledge Base article: Update SDDC Manager when a VxRail Manager certificate has been replaced (External Link) 

• You can validate that the certificate is now trusted by running: openssl s_client -connect vxrail-mgr.local:443, and checking that the certificate chain is verified.

Step 3: Restart VCF Services.

After importing the certificate, restart the VCF services to apply the changes:

/opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanagerrestartservices.sh

Step 4: Retry the NSX-T Upgrade.

Return to the SDDC Manager UI and retry the upgrade for the NSX-T Parallel Cluster. Confirm that the upgrade proceeds past the previously failing point.

Step 5:

• This issue is commonly encountered in environments where self-signed certificates are used or certificate chains are not properly maintained.
• Regularly updating and validating certificates in the environment can prevent such issues during life cycle operations.