"Certificate Validation Failure During Pre-Check for vCenter Server Upgrade - Regenrate certificates for SSO and try again"
Article ID: 324980
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
- Pre-upgrade check fails with error "Certificate validation failed during pre-upgrade check"
- In the requirements-upgrade-runner.log file, you see entries similar to:
'description': {'id': 'upgrade.sso.precheck.error.description', 'translatable': 'Certificate has expired', 'localized': 'Certificate has expired'}, 'problemId': None, 'resolution': {'id': 'upgrade.sso.precheck.error.resolution', 'translatable': 'Regenerate certificates for sso and try again', 'localized': 'Regenerate certificates for sso and try again'}}]}},
- Pre-check fails when upgrading from vCenter 7 to 8
- Legacy Lookup service certificate is "Expired"
Environment
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server 7.0.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server 6.5.x
VMware vCenter Server 6.7.x
VMware vCenter Server 7.0.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server 6.5.x
VMware vCenter Server 6.7.x
Resolution
To resolve this issue, replace the STS_INTERNAL_SSL_CERT with the machine cert from the MACHINE_SSL_CERT store.
Process to replace STS_INTERNAL_SSL_CERT with machine cert from MACHINE_SSL_CERT store:
- Check if the lookup certificate is expired by running this command:
openssl s_client -connect <PSC/VCSA-FQDN/IP>:7444 | less- From the about output copy the contents which starts with "-----BEGIN CERTIFICATE-----" till the "-----END CERTIFICATE-----".
- Save this file as 7444-lookup.txt and go to that location and rename this file extension as 7444-lookup.crt
- Now open this 7444-lookup.crt file and check if the certificate is valid or expired.
- If its expired then follow the Step 2.
- Replace the expired 7444 certificate stored in the STS_INTERNAL_SSL_CERT with the machine cert from the MACHINE_SSL_CERT store. Implement the commands below as you see them one by one:
Appliance:
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT > /var/tmp/MachineSSL.crt
/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT > /var/tmp/MachineSSL.key
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT > /var/tmp/sts_internal_backup.crt
/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT > /var/tmp/sts_internal_backup.key
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT -y
/usr/lib/vmware-vmafd/bin/vecs-cli entry create --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --cert /var/tmp/MachineSSL.crt --key /var/tmp/MachineSSL.key
Windows:
Open Command prompt as administrator and navigate to cd C:\Program Files\VMware\vCenter Server\vmafdd
vecs-cli.exe entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output C:\Windows\Temp\MachineSSL.crt
vecs-cli.exe entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output C:\Windows\Temp\MachineSSL.key
vecs-cli.exe entry getcert --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --output C:\Windows\Temp\sts_internal_backup.crt
vecs-cli.exe entry getkey --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --output C:\Windows\Temp\sts_internal_backup.key
vecs-cli.exe entry delete --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT -y
vecs-cli.exe entry create --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --cert C:\Windows\Temp\MachineSSL.crt --key C:\Windows\Temp\MachineSSL.key
/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT > /var/tmp/MachineSSL.key
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT > /var/tmp/sts_internal_backup.crt
/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT > /var/tmp/sts_internal_backup.key
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT -y
/usr/lib/vmware-vmafd/bin/vecs-cli entry create --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --cert /var/tmp/MachineSSL.crt --key /var/tmp/MachineSSL.key
Windows:
Open Command prompt as administrator and navigate to cd C:\Program Files\VMware\vCenter Server\vmafdd
vecs-cli.exe entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output C:\Windows\Temp\MachineSSL.crt
vecs-cli.exe entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output C:\Windows\Temp\MachineSSL.key
vecs-cli.exe entry getcert --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --output C:\Windows\Temp\sts_internal_backup.crt
vecs-cli.exe entry getkey --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --output C:\Windows\Temp\sts_internal_backup.key
vecs-cli.exe entry delete --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT -y
vecs-cli.exe entry create --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --cert C:\Windows\Temp\MachineSSL.crt --key C:\Windows\Temp\MachineSSL.key
- Restarted the vCenter Services.
- service-control --stop --all
- service-control --start --all
- Re-run the openssl mentioned in Step #1 to validate if the lookup service certificate is valid.
- And then retry the VC upgrade.
- If Lookup service certificate is valid and you are facing the same issue, check certificates in VECS as well as SSO endpoints for possible expiration and replace them.
- Check if the lookup service is valid by running the below command again
- openssl s_client -connect <PSC/VCSA-FQDN/IP>:7444 | less
If this article didn’t solve your issue:
| Ask for help here : Click for Broadcom Communities |
Feedback
Yes
No
Powered by
