"Failed to check VMware STS. The SSL certificate of STS service cannot be verified" while upgrading VCSA from 6.5 to 6.7/7.0
search cancel

"Failed to check VMware STS. The SSL certificate of STS service cannot be verified" while upgrading VCSA from 6.5 to 6.7/7.0

book

Article ID: 345432

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
  • VCSA upgrade failed with vmidentity first boot
  • Error: Failed to check VMware STS.
com.vmware.vim.sso.client.exception.CertificateValidationException: The SSL certificate of STS service cannot be verified


Environment

VMware vCenter Server 7.0.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server 6.7.x
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server 6.5.x

Cause

If the vCenter was upgraded from 5.5, it retains lookup service certificate in STS_INTERNAL_SSL_CERT store which will be used by this url https://FQDN:7444/lookupservice/sdk

Resolution

To resolve the issue replace the certificate for STS_INTERNAL_SSL_CERT store.

Follow the below steps to replace the Certificate for STS_INTERNAL_SSL_CERT store:

  1. Take a backup of both STS_INTERNAL_SSL_CERT and MACHINE_SSL_CERT store
    • /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /var/tmp/machine_ssl.crt
    • /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /var/tmp/machine_ssl.key
    • /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --output /var/tmp/STS_INTERNAL_SSL_CERT-__MACHINE_CERT.crt
    • /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --output /var/tmp/STS_INTERNAL_SSL_CERT-__MACHINE_CERT.key
  2. Delete the contents of STS_INTERNAL_SSL_CERT store:
    • /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT -y
  3. Import MACHINE_SSL_CERT store to the STS_INTERNAL_SSL_CERT store:
    • /usr/lib/vmware-vmafd/bin/vecs-cli entry create --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --cert  /var/tmp/machine_ssl.crt --key /var/tmp/machine_ssl.key
  4. Restart all sts services using below command
    • service-control --stop vmware-stsd
    • service-control --start vmware-stsd
  5. Retry the upgrade process.


Powered by Wolken Software