Upgrading vCenter Server or ESXi 8.0 fails during precheck due to a weak certificate signature algorithm
Article ID: 313460
Updated On:
Products
Issue/Introduction
Upgrading to vCenter Server or ESXi 8.0 requires an additional security precheck. This precheck ensures that vCenter Server and ESXi are not using certificates with weak signature algorithms, such as SHA1withRSA (sha1WithRSAEncryption). Certificates with weak signature algorithms are no longer supported in vSphere 8.0 in most contexts.
vCenter Server Upgrade Errors
The upgrade may fail with the following error message:
Support for certificates with weak signature algorithms has been removed in vCenter Server 8.0.The certificate with subject '/C=##/ST=##/O=###/OU=###/CN=###/...' in VECS store TRUSTED_ROOTS has weak signature algorithm sha1WithRSAEncryption.
ESXi Upgrade Errors
The upgrade may fail with the following host compatibility error:
Host not compatible with the image.SHA-1 signature found in host certificate rui.crt (/DC=###/CN=###').Support for certificates with weak signature algorithm SHA-1 has been removed in ESXi 8.0. To proceed with the upgrade, replace it with a SHA-2 signature based certificate.
Cause
The signing chain for the Machine cert contains an old SHA1 certificate, and vSphere 8 does not support SHA1 security algorithm.
Resolution
- Run the Standalone Precheck Script
The vsphere8_upgrade_certificate_checks.py script verifies certificates across vCenter and all connected ESXi hosts.
- Download the script attached to this KB.
- Transfer the script to the /tmp/ folder on the vCenter Server.
- Log in to the VCSA via SSH as root.
- Execute the script
- Resolve any identified "ERROR" or "FAIL" entries before proceeding with the upgrade.
python /tmp/vsphere8_upgrade_certificate_checks.py
- Resolve any identified "ERROR" or "FAIL" entries before proceeding with the upgrade.
If any certificates with a weak signature algorithm are found, the details are printed to the console window. These issues should be resolved before proceeding with upgrade. An example output with failures is shown below.python /tmp/vsphere8_upgrade_certificate_checks.pyEnter hostname [Default: localhost]: INFO Verifying vCenter Server VECS store: MACHINE_SSL_CERT INFO Verifying vCenter Server VECS store: TRUSTED_ROOTS Error #################### Errors Found #################### ERROR ERROR Support for certificates with weak signature algorithms has been removed in vSphere 8.0....Correct the following <#> issues before proceeding with upgrade....
2. Replace the vCenter Server Machine Certificate
If the failure indicates a problematic certificate in the MACHINE_SSL_CERT VECS store:
- Replace the vCenter machine SSL certificate with a certificate using a SHA-2 signature. Use the vCert scripted CLI tool or follow the Custom Certificate Authority workflow.
- Push the new CA certificate to the ESXi hosts by selecting the host in the vSphere Client and clicking Refresh CA Certificates.
3. Replace a vCenter Server Trusted Root Certificate
If the failure indicates a problematic certificate in the TRUSTED_ROOTS store:
- Add the new certificate: Navigate to Administration > Certificates > Certificate Management. Under Trusted Root Store, click Add and upload the SHA-2 compliant certificate.
- Push to Hosts: Navigate to each ESXi host in the vSphere UI and select Actions > Certificates > Refresh CA Certificates.
- Identify Dependent Solutions: Ensure leaf certificates for the following (if applicable) are updated:
- VMware Solutions: vRA, vROps, SRM, NSX.
- Partner Solutions: vVols (VASA Provider), Backup solutions.
4. Replace the ESXi Server TLS Certificate (rui.crt)
The ESXi TLS certificate is located at /etc/vmware/ssl/rui.crt.
- For VMCA-managed hosts: In the vSphere Client, navigate to the host and select Actions > Certificates > Renew Certificate.
- For Custom Certificates: Follow the steps to manually add a custom certificate on ESXi hosts. Upgrading vCenter Server or ESXi 8.0 fails during precheck due to a weak certificate signature algorithm
5. VMCA is Acting as a Subordinate CA
If the upgrade precheck failure message indicates that a problematic certificate is related to certs in VMCA sub-ca chain, follow the steps in the following linked article.
6. vCenter Server BACKUP_STORE Certificate
If the upgrade precheck failure message indicates that a problematic certificate is present in the VECS store "BACKUP_STORE", then the certificate can be safely removed using one of the methods below.
7. The ESXi Server TLS Certificate (rui.crt)
The ESXi TLS certificate is managed by vCenter Server by default, however administrators may choose to manually assign a certificate. If the current TLS certificate contains a weak digital certificate, then a new certificate must be issued. Note that this certificate is stored in a file name "rui.crt" which may be displayed in the upgrade precheck error messages.
8. The ESXi Server Certificate Store (castore.pem)
If the upgrade precheck failure message indicates that a problematic certificate is related to ESXi certs, follow the steps in the following linked article.
9. vVols (Virtual Volumes)
If the upgrade precheck failure message indicates that a problematic certificate is related to vVols (VASA) certs, follow the steps in the following linked article.
Additional Information
- If using Sectigo custom CA certs, consider the following article.
- If the ESXi upgrade still fails after certificates are updated to SHA-2, the Update Manager cache may need to be cleared:
- Restart the Update Manager service:
service-control --stop vmware-updatemgr && service-control --start vmware-updatemgr - Verify the service status:
service-control --status vmware-updatemgr - If warnings persist, perform a full certificate reset using the Certificate Manager Utility. Upgrading vCenter Server or ESXi 8.0 fails during precheck due to a weak certificate signature algorithm
- Restart the Update Manager service:
Attachments
Feedback
