Patch installation in vCenter 7.0.x fails with “Exception occurred in postInstallHook” due to a failure when generating the certificate for the WCP solution user
search cancel

Patch installation in vCenter 7.0.x fails with “Exception occurred in postInstallHook” due to a failure when generating the certificate for the WCP solution user

book

Article ID: 301540

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Patch installation in vCenter Server 7.0 fails with an error message:

Exception occurred in postInstallHook

  • The patch runner log, /var/log/vmware/applmgmt/Patchrunner.log, contains the following entries: 
    YYYY-MM-DD HH:MM:SS wcp:Patch INFO root Generating certificate for user "wcp"
YYYY-MM-DD HH:MM:SS wcp:Patch ERROR root Failed to update solution user wcp.
  • When checking /var/log/vmware/vmcad/vmcad.log, indication for an authorization issue are seen: 
    YYYY-MM-DD HH:MM:SS [vmcad][INFO] [OPID :RPC] Entering RpcVMCAGetSignedCertificate
YYYY-MM-DD HH:MM:SS [vmcad][INFO] Checking upn: cn=CAAdmins,cn=Builtin,dc=vsphere,dc=local against CA admin group: ####@vsphere.local 
YYYY-MM-DD HH:MM:SS [vmcad][INFO] Checking user's group: cn=DCAdmins,cn=Builtin,dc=vsphere,dc=local against CA admin group: cn=CAAdmins,cn=Builtin,dc=vsphere,dc=local 
YYYY-MM-DD HH:MM:SS [vmcad][WARNING] [../../service/auth.c:VMCALdapAccessCheck:92] error code: 0x00000005
YYYY-MM-DD HH:MM:SS [vmcad][INFO] VMCACheckAccessKrb: Access denied as user is not administrator
YYYY-MM-DD HH:MM:SS [vmcad][WARNING] [../../service/rpcserv.c:VMCACheckAccess:103] error code: 0x00000005
YYYY-MM-DD HH:MM:SS [vmcad][WARNING] [../../service/rpcserv.c:RpcVMCAGetSignedCertificate:364] error code: 0x00000005
YYYY-MM-DD HH:MM:SS [vmcad][INFO] [RPC] Exiting RpcVMCAGetSignedCertificate, Status = 5

Environment

VMware vCenter Server 7.0.x

Cause

This issue can happen if there is the DCAdmins SSO group was accidentally removed from the CAAdmins group.
The vCenter machine account <vCenter_PNID>@vsphere.local is a member in DCAdmins, while CAAdmins membership is required in order to generate certificates.

Resolution

To solve this problem, add the DCAdmins group to CAAdmins, either using JXplorer, or preferrable by using the ldapadd CLI command:
  1. Connect to VCSA per SSH
  2. Login with the root account
  3. In BASH, create a new file: 
    # vi test.ldif
  4. Populate the file with the following content: 
    dn: cn=CAAdmins,cn=Builtin,dc=vsphere,dc=local
changetype: modify
add: member
member: cn=DCAdmins,cn=Builtin,dc=vsphere,dc=local
  5. Save the file and exit the VI editor (\wq)
  6. Run the following command to update the content of the file to the VMDir database, thus updating the group membership: 
    # /opt/likewise/bin/ldapadd -h localhost -x -D "cn=administrator,cn=users,dc=vsphere,dc=local" -w '<password for user Administrator>' -f test.ldif
  7. Retry the update
 

Additional Information



Powered by Wolken Software