"VMCA root certificate validation failed, VMCA root certificate does not have Subject Key Identifier extension" pre-check error message while Patching / Upgrading vCenter Server
Article ID: 344774
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
/var/log/vmware/applmgmt/PatchRunner.log will show similar to below snippets :
2023-09-27T01:37:47.391Z wcp:Patch ERROR root Failed to update solution user wcp.
Traceback (most recent call last):
File "/usr/lib/vmware-wcp/py-modules/wcpconfigure.py", line 352, in update
self._gen_cert()
File "/usr/lib/vmware-wcp/py-modules/wcpconfigure.py", line 192, in _gen_cert
invoke_command(
File "/usr/lib/vmware/site-packages/cis/utils.py", line 372, in invoke_command
raise InvokeCommandException(errStr='Command: %s\nStderr: %s' %\
cis.exceptions.InvokeCommandException: {
"detail": [
{
"id": "install.ciscommon.command.errinvoke",
"translatable": "An error occurred while invoking external command : '%(0)s'",
"args": [
"Command: ['/usr/lib/vmware-vmca/bin/certool', '--server=vc1.example.com', '--genCIScert', '--dataencipherment', '--privkey=/tmp/wcp_r2t4vosr.priv', '--cert=/tmp/wcp_fotsa0sr.crt', '--Name=wcp']\nStderr: "
],
"localized": "An error occurred while invoking external command : 'Command: ['/usr/lib/vmware-vmca/bin/certool', '--server=vc1.example.com', '--genCIScert', '--dataencipherment', '--privkey=/tmp/wcp_r2t4vosr.priv', '--cert=/tmp/wcp_fotsa0sr.crt', '--Name=wcp']\nStderr: '"
}
2023-09-27T01:37:47.392Z wcp:Patch ERROR wcp Failed to apply patch %s! Error: %s.
2023-09-27T01:37:47.392Z wcp:Patch ERROR wcp Not all patches were applied. Latest applied patch is 1
2023-09-27T01:37:47.392Z wcp:Patch ERROR vmware_b2b.patching.executor.hook_executor Patch hook 'wcp:Patch' failed.
/var/log/vmware/applmgmt/update_microservice.log will show similar to below snippets :
2023-09-27T01:37:47.390Z Done running command\n"
error=b"2023-09-27T01:37:47.390Z Invoked command: ['/usr/lib/vmware-vmca/bin/certool', '--server=vc1.example.com', '--genCIScert', '--dataencipherment', '--privkey=/tmp/wcp_r2t4vosr.priv', '--cert=/tmp/wcp_fotsa0sr.crt', '--Nam
e=wcp']\n2023-09-27T01:37:47.390Z RC = 124\nStdout = Error: 70012, VMCAGetSignedCertificatePrivate() failedStatus : Failed\nError Code : 70012\nError Message : Invalid CSR field\n\nStderr = \n"
- Upgrading or Patching vCenter Server to 8.0 U2a or above versions shows following pre-check error message:
VMCA root certificate validation failed.
VMCA root certificate does not have 'Subject Key Identifier' extension.
Suggested Resolution: VMCA root certificate on vCenter needs to be regenerated. Refer to VMware KB 94840 for more details.
VMCA root certificate does not have 'Subject Key Identifier' extension.
Suggested Resolution: VMCA root certificate on vCenter needs to be regenerated. Refer to VMware KB 94840 for more details.
- Patching to 8.0 U2 fails with any of below failures :
Failure while generating 'wcp' certificate
/var/log/vmware/applmgmt/PatchRunner.log will show similar to below snippets :
2023-09-27T01:37:47.391Z wcp:Patch ERROR root Failed to update solution user wcp.
Traceback (most recent call last):
File "/usr/lib/vmware-wcp/py-modules/wcpconfigure.py", line 352, in update
self._gen_cert()
File "/usr/lib/vmware-wcp/py-modules/wcpconfigure.py", line 192, in _gen_cert
invoke_command(
File "/usr/lib/vmware/site-packages/cis/utils.py", line 372, in invoke_command
raise InvokeCommandException(errStr='Command: %s\nStderr: %s' %\
cis.exceptions.InvokeCommandException: {
"detail": [
{
"id": "install.ciscommon.command.errinvoke",
"translatable": "An error occurred while invoking external command : '%(0)s'",
"args": [
"Command: ['/usr/lib/vmware-vmca/bin/certool', '--server=vc1.example.com', '--genCIScert', '--dataencipherment', '--privkey=/tmp/wcp_r2t4vosr.priv', '--cert=/tmp/wcp_fotsa0sr.crt', '--Name=wcp']\nStderr: "
],
"localized": "An error occurred while invoking external command : 'Command: ['/usr/lib/vmware-vmca/bin/certool', '--server=vc1.example.com', '--genCIScert', '--dataencipherment', '--privkey=/tmp/wcp_r2t4vosr.priv', '--cert=/tmp/wcp_fotsa0sr.crt', '--Name=wcp']\nStderr: '"
}
2023-09-27T01:37:47.392Z wcp:Patch ERROR wcp Failed to apply patch %s! Error: %s.
2023-09-27T01:37:47.392Z wcp:Patch ERROR wcp Not all patches were applied. Latest applied patch is 1
2023-09-27T01:37:47.392Z wcp:Patch ERROR vmware_b2b.patching.executor.hook_executor Patch hook 'wcp:Patch' failed.
/var/log/vmware/applmgmt/update_microservice.log will show similar to below snippets :
2023-09-27T01:37:47.390Z Done running command\n"
error=b"2023-09-27T01:37:47.390Z Invoked command: ['/usr/lib/vmware-vmca/bin/certool', '--server=vc1.example.com', '--genCIScert', '--dataencipherment', '--privkey=/tmp/wcp_r2t4vosr.priv', '--cert=/tmp/wcp_fotsa0sr.crt', '--Nam
e=wcp']\n2023-09-27T01:37:47.390Z RC = 124\nStdout = Error: 70012, VMCAGetSignedCertificatePrivate() failedStatus : Failed\nError Code : 70012\nError Message : Invalid CSR field\n\nStderr = \n"
- vCenter Server major upgrade from 6.x or 7.x to 8.0 U2 fails with any of below errors
"Failed to create data encipherment cert with hostname/ip"
/var/log/firstboot/vpxd_firstboot.py_xxxx_stderr.log
2023-09-27T13:59:02.247Z Invoked command: ['/usr/lib/vmware-vmca/bin/certool', '--server=vc2.example.com', '--genCIScert', '--dataencipherment', '--privkey=/etc/vmware-vpx/ssl/tmp-data-encipherment.key', '--cert=/etc/vmware-vpx/ssl/tmp-data-encipherment.crt', '--Name=data-encipherment', '--FQDN=vc2.example.com']
2023-09-27T13:59:02.247Z RC = 124
Stdout = Error: 70012, VMCAGetSignedCertificatePrivate() failedStatus : Failed
Error Code : 70012
Error Message : Invalid CSR field
Stderr =
2023-09-27T13:59:02.247Z VirtualCenter firstboot failed
/var/log/firstboot/vpxd_firstboot.py_xxxx_stderr.log
2023-09-27T13:59:02.247Z Invoked command: ['/usr/lib/vmware-vmca/bin/certool', '--server=vc2.example.com', '--genCIScert', '--dataencipherment', '--privkey=/etc/vmware-vpx/ssl/tmp-data-encipherment.key', '--cert=/etc/vmware-vpx/ssl/tmp-data-encipherment.crt', '--Name=data-encipherment', '--FQDN=vc2.example.com']
2023-09-27T13:59:02.247Z RC = 124
Stdout = Error: 70012, VMCAGetSignedCertificatePrivate() failedStatus : Failed
Error Code : 70012
Error Message : Invalid CSR field
Stderr =
2023-09-27T13:59:02.247Z VirtualCenter firstboot failed
- Any Certificate replacement on vCenter Server after upgrading to 8.0 U2 fails with below error message :
Error: 70012, VMCAGetSignedCertificatePrivate() failedStatus : Failed
Error Code : 70012
Error Message : Invalid CSR field
Error Code : 70012
Error Message : Invalid CSR field
Environment
VMware vCenter Server 8.0.x
Cause
This issue is caused due to old VMCA Root Certificate without Subject Key Identifier extension. This generally happens if the VMCA Root was carry forwarded from version 5.5 as part of upgrades.
Resolution
Note: Regenerating Root Certificate will by default replace Machine SSL and Solution User Certificates. If the vCenter Server is using Custom Certificates for Machine SSL and Solution users, these certificates needs to be replaced again with the Custom Certificate after following below procedure.
To resolve the issue, regenerate the VMCA Root Certificate and associated Machine SSL and Solution User Certificates by following any of below methods. If the source is Windows vCenter Server (migration scenario), please use the Certificate Manager Utility to replace the Certificates as fixcerts script will work only on vCenter Server Appliance (VCSA)
Using Certificate Manager Utility :
- Login to vCenter Server
- Execute Certificate Manager
On VCSA:
/usr/lib/vmware-vmca/bin/certificate-manager
On Windows VC:
C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager
Note: The path listed is for default installation of vCenter Server. If you have customized the installation location of vCenter Server, change the directory accordingly..
- Select Option 4 or 8 :
| 4. Regenerate a new VMCA Root Certificate and replace all certificates
| 8. Reset all Certificates
Note : Use Ctrl-D to exit.
Option[1 to 8]:
Option[1 to 8]:
- Enter the SSO Administrator Credentials and the fields for the Certificate
- Continue with the Certificate Replacement by Entering 'Y'
Refer KB How to use vSphere Certificate Manager to Replace SSL Certificates for more details on Certificate Manager Utility.
Using fixcerts python utility (works only on VCSA):
- Login to VCSA using Putty
- Download the fixcert.py utility which is attached to the following KB: How to Replace Expired Certificates on vCenter Server using Fixcerts Python Script
- Copy the utility to VCSA using WinScp or Copy/Paste using 'vi' editor
- Execute the script with following parameters to replace VMCA Root Certificate, Machine SSL Certificate and Solution User Certificates
python fixcerts.py replace --certType root
- Restart all the services if you are skipping the restart by fixcerts utility
service-control --stop --all && service-control --start --all
Refer to KB How to Replace Expired Certificates on vCenter Server using Fixcerts Python Script for more details on fixcerts script.
Feedback
Yes
No
Powered by
