vCenter Server Appliance 6.7 Migration Fails During Firstboot - VMware Identity Management Service Firstboot Failed - "The SSL certificate of STS service cannot be verified" - "validity check failed"
Article ID: 338165
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
To learn more about firstboot issues see: Understanding and Troubleshooting vCenter Server and vCenter Server Appliance 6.7 Firstboot Install/Deployment, Upgrade, or Migration Failures.
To collect a log bundle or review log files for a vCenter Server Appliance install, upgrade, or migration issues reference Triaging a vCenter Server Appliance 6.0 installation, upgrade, or migration (6.0 U2m) failure. The relevant logs will be on the newly deployed appliance.
firstbootStatus.json contains the following:
"failedSteps": "vmidentity-firstboot"
vmidentity-firstboot.py_####_stdout.log contains the following:
The SSL certificate of STS service cannot be verified
cloudvm.log contains the following:
Stdout: DNS reverse lookup on [IP_Address] has failed.
Unable to obtain hostname from DNS reverse lookup.
Please examine DNS/network configuration.
Note:
vmware-sts-idmd.log contains the following:
PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
Note:
To learn more about firstboot issues see: Understanding and Troubleshooting vCenter Server and vCenter Server Appliance 6.7 Firstboot Install/Deployment, Upgrade, or Migration Failures.
To collect a log bundle or review log files for a vCenter Server Appliance install, upgrade, or migration issues reference Triaging a vCenter Server Appliance 6.0 installation, upgrade, or migration (6.0 U2m) failure. The relevant logs will be on the newly deployed appliance.
firstbootStatus.json contains the following:
"failedSteps": "vmidentity-firstboot"
vmidentity-firstboot.py_####_stdout.log contains the following:
The SSL certificate of STS service cannot be verified
cloudvm.log contains the following:
Stdout: DNS reverse lookup on [IP_Address] has failed.
Unable to obtain hostname from DNS reverse lookup.
Please examine DNS/network configuration.
Note:
- vCenter Server Appliance - Firstboot logs are located in the /var/log/firstboot directory.
vmware-sts-idmd.log contains the following:
PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
Note:
- vCenter Server Appliance - Each service will have it's own folder in the /var/log/vmware/ directory. The vmware-sts-idmd logs are located in the /var/log/vmware/sso/ folder.
Environment
VMware vCenter Server Appliance 6.7.x
Cause
This issue occurs when deploying a vCenter Server Appliance 6.7 with an IP address that has no DNS record configured. IP based deployments without DNS are not supported.
Resolution
Before deploying a vCenter Server Appliance 6.7 with a static IP address, verify that the IP address has a valid (internal) domain name system (DNS) registration.
For more information about DNS requirements see: DNS Requirements for the vCenter Server Appliance and Platform Services Controller Appliance.
For more information about DNS requirements see: DNS Requirements for the vCenter Server Appliance and Platform Services Controller Appliance.
Feedback
Yes
No
Powered by
