VMware Cloud Foundation Skip Level Upgrade Tool fails to connect to management vCenter due to an untrusted certificate
Article ID: 324102
Updated On:
Products
VMware Cloud Foundation
Issue/Introduction
Symptoms:
- When using the Skip Level Tool to perform an upgrade of VMware Cloud Foundation, connections to the management vCenter fail with certificate trust errors.
- The following error is shown in skiplevelupgrade.log:
YYYY-MM-DD HH:mm:ss [main] INFO [com.vmware.evo.sddc.lcm.sdk.util.SnapshotUtil]
Connecting to vCenter https://vCenter_FDQN/sdk
YYYY-MM-DD HH:mm:ss [main] DEBUG [com.vmware.evo.sddc.lcm.primitive.common.ssl.CustomTrustManager]
checkServerTrusted is called
YYYY-MM-DD HH:mm:ss [main] INFO [com.vmware.evo.sddc.lcm.primitive.common.ssl.CustomTrustManager]
Fall back to default trust manager
YYYY-MM-DD HH:mm:ss [main] ERROR [com.vmware.evo.sddc.lcm.primitive.common.connection.ConnectedVimServiceBase]
No valid connection available.
com.vmware.evo.sddc.lcm.primitive.common.connection.BasicConnection$BasicConnectionException: failed to connect: HTTP transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target : sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Connecting to vCenter https://vCenter_FDQN/sdk
YYYY-MM-DD HH:mm:ss [main] DEBUG [com.vmware.evo.sddc.lcm.primitive.common.ssl.CustomTrustManager]
checkServerTrusted is called
YYYY-MM-DD HH:mm:ss [main] INFO [com.vmware.evo.sddc.lcm.primitive.common.ssl.CustomTrustManager]
Fall back to default trust manager
YYYY-MM-DD HH:mm:ss [main] ERROR [com.vmware.evo.sddc.lcm.primitive.common.connection.ConnectedVimServiceBase]
No valid connection available.
com.vmware.evo.sddc.lcm.primitive.common.connection.BasicConnection$BasicConnectionException: failed to connect: HTTP transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target : sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Environment
VMware Cloud Foundation 3.10.x
Cause
The Skip Level Upgrade Tool tries to connect to the management vCenter to take a snapshot of SDDC Manager prior to initiating the upgrade. This issue occurs when the default VMCA signed vCenter certificate is replaced with a CA signed certificate. The Skip Level Upgrade Tool does not trust CA signed certificates.
Resolution
There is currently no resolution to this issue.
Workaround:
To workaround this issue, please perform the following steps:
Workaround:
To workaround this issue, please perform the following steps:
- Log into the UI of the Management vCenter.
- Take a snapshot of the SDDC Manager VM.
- Once the snapshot has completed, retry the upgrade by adding "-s" to the command that was being used to initiate the skip level upgrade. For example, "sddcmanager-skip-level-upgrade.bat -s -d -u" or "sddcmanager-skip-level-upgrade -s -d -u"
Feedback
Yes
No
Powered by
