NSX Application Platform Upgrade with Helm Private CA Fails with Certificate Verification Error

Upgrading an NSX Application Platform deployment with a Harbor registry with private CA causes a certification verification error.

Problem

Attempting to upgrade the NSX Application Platform to the 4.1.2 version using a private Harbor registry with private CA fails because the self-signed private Harbor CA certificate cannot be verified.

Cause

The Harbor CA certificate in NSX Manager is not propagated to all components of the NSX Application Platform. Consequently, this certificate is unavailable on the NSX Application Platform Upgrade Coordinator.

The Upgrade Coordinator does not load the host certificates, making the certificates added to the Kubernetes cluster unavailable during the upgrade process. This causes the Helm certificate to fail verification as it is considered signed by an unknown authority.

Solution

Execute the following command on the NSX Manager.
napp-k edit deployment upgrade-coordinator

Add the following to the volumes section in the upgrade-coordinator deployment YAML file.

volumes:
  - hostPath:
      path: /etc/ssl/certs
      type: ""
    name: host-ssl-certs

Add the following to the volumeMounts section in the upgrade-coordinator deployment YAML file.
```
volumeMounts:
  - mountPath: /etc/ssl/certs
    name: host-ssl-certs
```
Wait for the Upgrade Coordinator to restart and proceed with the upgrade.

What to do next

This error can also occur post-upgrade if you delete Security Intelligence and attempt to reactivate it. Reactivation of Security Intelligence fails until the certificates are manually added to the cluster-api pod by following the solution steps outlined.

See Service Activation Failure After Upgrade Due to Private CA Certificate Error.