This article provides information on using the Lookup Service Doctor (lsdoctor) Tool to assist in addressing each of these warning and error messages alongside the recommended resolution steps during the Pre-upgrade check when upgrading your VCSA 6.x to vCenter Server 7.0 Update 1 and later.

Symptoms:
During the Pre-upgrade check when upgrading VCSA 6.5.x and 6.7.x to VMware vCenter Sever 7.0 Update 1 and later, you experience these symptoms:

• The Pre-upgrade check result comes back with a “Warning” alongside a “Description” and a “Resolution”.
• The Pre-upgrade check result comes back with an “Error” alongside a “Resolution”.
• You see these warnings and errors similar (But not limited) to:
  • Certificate specified for SSL Trust has expired
  • Certificate specified for SSL Trust is not yet valid
  • Certificate specified for SSL Trust cannot be parsed
  • Duplicate service registrations of the same type has been detected
  • SSL Trust certificate does not match the current MACHINE_SSL_CERT for one of the legacy service registrations
  • A legacy service registrations for SSO service has been found to still use Port 7444
  • SSL Trust certificate does not match the current MACHINE_SSL_CERT for one of the service registrations
  • A stale service registration has been found to be using Solution User configuration from vCenter 5.5
  • A functional service registration has been found to be using Solution User configuration from vCenter 5.5

VMware vCenter Server 8.0
VMware vCenter Server 7.0.x

A new set of pre-upgrade checks have been added into vCenter Server 7.0 Update 1 and later upgrade mechanism to detect and correct issues that have been found with the SSO database on the vCenter Server Appliance. The goal is to allow you to correct issues and inconsistencies with the SSO database before proceeding with the upgrade to vCenter Server 7.0 Update 1 and later.

The Pre-upgrade check result provides recommended resolution steps based on each warning and/or error that may come up during the vCenter Server upgrade.

In parallel to these recommended resolution steps, use the Lookup Service Doctor tool to assist on resolving the issue as well.

Warning

Duplicate service registrations of the same type has been detected

Explanation: This warning indicates that a duplicate data for one or more services within the vCenter Server has been detected. There should be no duplication of data within the SSO database. Unless corrected, the upgrade to vCenter Server 7.0 Update 1 and later may fail.

For more information, see "Duplicate service registrations of the same type has been detected" warning during Pre-upgrade check (81867).

Certificate related Warnings or Errors

• Certificate specified for SSL Trust has expired
• Certificate specified for SSL Trust is not yet valid
• Certificate specified for SSL Trust cannot be parsed
• SSL Trust certificate does not match the current MACHINE_SSL_CERT for one of the service registrations

Explanation: These errors indicate that one or more services within vCenter Server has failed SSL certificate validation. Unless corrected, the upgrade to vCenter 7.0 Update 1 and later may fail.

To resolve this issue, replace the SSL certificate with a valid certificate. Use the Lookup Service Doctor Tool using the --trustfix option to correct SSL certificate issues.

Note: For this message: “SSL Trust certificate does not match the current MACHINE_SSL_CERT for one of the service registrations”, if the upgrade still reports this message after running the lsdoctor tool with the --trustfix option, this means that this is a false-positive and you can safely ignore this warning and continue with the upgrade.

Also, see:

• How to download and install vCenter Server root certificates to avoid Web Browser certificate warnings (2108294)
• CertificateStatusAlarm – There are certificate that expired or about to expire / Certificate Status Change Alarm Triggered on VMware vCenter Server (68171)
• How to regenerate vSphere 6.x certificates using self-signed VMCA (2112283)

Other Warnings or Errors

• A legacy service registrations for SSO service has been found to still use Port 7444
• A stale service registration has been found to be using Solution User configuration from vCenter 5.5
• A functional service registration has been found to be using Solution User configuration from vCenter 5.5

Explanation: These errors indicate that one or more legacy services within vCenter Server is using a Solution User that has been configured for vCenter Server 5.5.x. A legacy service is a service that has been migrated from vCenter 6.0 or earlier. Unless corrected, the upgrade to vCenter 7.0 Update 1 and later may fail.

To resolve this issue, correct the service registration and Solution User associated with these legacy services. Use the Lookup Service Doctor Tool using the --stalefix option to correct stale configurations left over from a system upgraded from vCenter Server 5.x.

Impact/Risks:

Warning

Before using the Lookup Service Doctor tool to make any changes, ensure you have taken proper snapshots of your SSO domain. This means that you must shut down all VCs or PSCs that are in the SSO domain at the same time, temporarily back them up using snapshots, and power them on again. If you need to revert to one of these snapshots, shut all the nodes down, and revert all nodes to the snapshot. Failure to perform these steps may lead to replication problems across the PSC databases.

Limitations

Currently, the Lookup Service Doctor tool supports vCenter 6.5 and above (both Windows and VCSA). When new builds of vCenter Servers are released, the lsdoctor tool must be updated asynchronously. This means that the lsdoctor tool support for the latest version of vCenter Server may be updated sometime after a new build is released.

For more information, see Using the 'lsdoctor' Tool (80469).