Symptoms: Upgrade pre-checks fail.

VMware vCenter Server 6.7
VMware vCenter Server 7.x

This issue occurs when one of the Certificates in the TRUSTED ROOT Store has two chains instead of one.

To Resolve the issue, kindly follow the steps below :

1. Take a snapshot of the vCenter Appliance.
2. Establish an SSH session to the source vCenter Appliance.
3. Run the command : cd /usr/lib/vmware-vmafd/bin
4. Make a note of the Alias which has the two chains by running : ./vecs-cli entry list --store TRUSTED_ROOTS
5. Make a note of the Alias which has the two Certificate chains.
6. Copy both Certificate Chains into a notepad for a reference.
7. Take a backup of the Certificate by running : ./vecs-cli entry getcert --store TRUSTED_ROOTS --alias ############################ > /var/tmp/temp.crt
8. Un-publish and delete the Certificate using the KB : https://knowledge.broadcom.com/external/article/326288/removing-ca-certificates-from-the-truste.html
9. Once deleted, copy the first chain from the reference in the Notepad and create a file called cert1.txt in /var/tmp and paste it.
10. Similarly, copy the second chain and create a file called cert2.txt in /var/tmp and paste it.
11. Publish the two Certificates by running the command : ./dir-cli trustedcert publish --cert /var/tmp/cert1.txt --login administrator
12. Similarly, run the above command for cert2.txt as well.
13. Once done, refresh the contents of the VECS Store by running : ./vecs-cli force-refresh
14. Proceed with running the Pre-checks once the above tasks are completed.

If you verify that the Alias in the two Chains is not used as a Issuer, proceed with deleting that certificate