vCenter Server upgrade pre-check shows below error message

Verification of the machine SSL certificate failed due to an invalid trusted root certificate chain. ERROR: [2, 2, 'unable to get issuer certificate'] . Unable to find the root certificate with the subject '<X509Name object '/C=US/ST=#####/L=#####/O=######.com, Inc./CN=#######'>'

VMware vCenter Server

To fix the missing chain in the vCenter server's machine_ssl_certificate.

Resolving a Missing CA Certificate :

To resolve a missing CA certificate issue, you must import the missing certificate into the TRUSTED_ROOTS store on the vCenter Server.

You can identify the missing certificate by reviewing the pre-check error, which will display the subject of the missing CA certificate. It will look similar to this:

Unable to find the root certificate with the subject 'X509Name object '/C=US/ST=#####/L=#####/O=######.com, Inc./CN=#######''

Methods to Import the Certificate:

You can import the missing certificate using any of the following three methods:

• Using vSphere Client :  Add a Trusted Root Certificate to the Certificate Store
• Using CLI Utility : Add new certificates to the TRUSTED_ROOTS store via CLI
• Using vCert Script - vCert 
• Option 3. Manage certificates > Option 3. CA certificates in VMware Directory >  Publish CA certificate(s) to VMware Directory

Fixing MACHINE_SSL_CERT store that contains the wrong trusted roots or is missing the trusted roots certificate in the chain.

1. Extract the current certificate from the machine_ssl

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /var/tmp/machine_ssl.crt

2. Extract the current private key:

/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /var/tmp/machine_ssl.key

3. Build the complete certificate chain. Refer to: How to correctly chain custom root/intermediate SSL certificates to import into vCenter

Open the extracted certificate file (/var/tmp/machine_ssl.crt) in a text editor and append the intermediate and root certificates. The file must contain the complete chain in the correct order:

• Machine SSL Certificate
• Intermediate CA Certificate(s)
• Root CA Certificate

4. Delete the existing Machine SSL entry:

/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT -y

5. Add the entry back using the updated full chain:

/usr/lib/vmware-vmafd/bin/vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert /var/tmp/machine_ssl.crt --key /var/tmp/machine_ssl.key

6. Restart the vCenter Server services to apply the changes.

service-control --stop --all && service-control --start --all

7.To resolve the missing PNID issue, the Machine SSL certificate will need to be regenerated. Making sure the subject alternative name of the Machine SSL certificate contains the exact case of the current PNID of vCenter which can be found by running this command: /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost.

  The certificate can be regenerated using vCert, options 3. Manage certificates, then 1. Machine SSL certificate.

8. Re-run the upgrade post making these changes.

Sample steps to export the CA Certificate from local Windows Desktop:

Note: This is just an example to show how to export CA certificate from the Certificate Path based on issuer name ("Go Daddy Root Certificate Authority - G2" in this example).

1. Open the Machine SSL of Certificate of vCenter Server from local Windows Desktop
2. Click on Certificate Path tab, select the CA certificate to export and Click on View Certificate
   
3. New window will open for the select CA certificate from the Certificate Path
   
4. Select the Details tab of the CA Certificate and click on Copy to File
   
5. Click Next on the new window to export the Certificate
   
6. Select Base-64 encoded X.509 (.CER)
   
7. Enter the Filename for the exported CA certificate and Click Next
   
8. Click Finish to save the Certificate