To resolve this issue, ensure that the vmafd service is reachable and started before continuing.
Note: Take a valid snapshot/backup of the source vCenter Server.
- Check for invalid entries (alias should contain thumbprint not a url) in TRUSTED_ROOTS store by running these commands on the source appliance:
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS | grep Alias
You see the output similar to:
Alias : 44cc699f8acb000e22cd9d54xxxxxxxxxxxxxxxx
Alias : 4ed81f47dda09fe0d2e28156xxxxxxxxxxxxxxxx
Alias : https://192.168.148.60:8443/vasa/version.xml
Note: The third URL in the above list is invalid as it does not match the alias and should be deleted.
- Take a backup of certs by running this command:
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store trusted_roots --alias <URL> --output <location>
For example:
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store trusted_roots --alias https://192.168.148.60:8443/vasa/version.xml --output /storage/core/nimble192.168.148.60.crt
- Delete the entry from the store by running this command:(the connection to VASA is not disrupted by performing this deletion)
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store trusted_roots --alias <URL>
For example:
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store trusted_roots --alias https://192.168.148.75:8443/vasa/version.xml
- To publish the certificate to vmdir run this command:
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert <location> --login administrator --password <password>
For example:
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /storage/core/nimble192.168.148.60.crt --login administrator --password VMware123
- To list of TRUSTED_ROOTS certs, run the command:
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS | grep Alias
You see the output similar to:
Alias : 44cc699f8acb000e22cd9d54xxxxxxxxxxxxxxxx
Alias : 4ed81f47dda09fe0d2e28156xxxxxxxxxxxxxxxx
Alias : 6a44eff3db63a9699ba3e65axxxxxxxxxxxxxxxx
- Retry the vCenter upgrade process and pre-checks will complete successfully.
- If the certificate is no longer in use, you can proceed to unpublish the cert using below command.
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert unpublish --cert <location> --login administrator --password <password>
For example:
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert unpublish --cert /storage/core/nimble192.168.148.60.crt --login administrator --password VMware123