"Error: vCenter CA certificate not verified. Stopping" while Migrating vCenter Server from 5.5 to 6.x
search cancel

"Error: vCenter CA certificate not verified. Stopping" while Migrating vCenter Server from 5.5 to 6.x

book

Article ID: 345501

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
  • vCenter Migration from 5.5 to 6.x using Migration assistant fails with:
     Error: vCenter CA certificate not verified. Stopping.
  • In the migration-assistant.log file, you see entries similar to,

    2016-11-08 15:31:13.236Z| migration-assistant-4191364| I: IsAddrCompatibleWithCertDnsName: Address 'vcenter.domain.com' is not compatible with DNS name 'vcenter'.
    2016-11-08 15:31:13.236Z| migration-assistant-4191364| I: IsAddrCompatibleWithCertDnsName: Address 'vcenter.domain.com' is compatible with DNS name 'vcenter.domain.com'.
    2016-11-08 15:31:13.236Z| migration-assistant-4191364| E: ParsePreUpgradeOutput: Error: Failed to discover a system name that is compatible with both your VMware vCenter Server certificate and your VMware Single Sign-On certificate thatcan be used to migrate to a VMware vCenter Server Appliance with an embedded Platform Services Controller.
    2016-11-08 15:31:13.236Z| migration-assistant-4191364| I: ParsePreUpgradeOutput: Resolution: Regenerate your VMware vCenter Server SSL certificate and your VMware Single Sign-On SSL certificate to have a common system name that can be used to migrate your system to VMware vCenter Server Appliance with Platform Services Controller. DHCP IP Address cannot be used as a system name to migrate to a VMware vCenter Server Appliance.
    2016-11-08 15:31:13.279Z| migration-assistant-4191364| I: ParseErrorsWarningsFromPreUpgradeOutput: Parsed 1 error messages.
    2016-11-08 15:31:13.279Z| migration-assistant-4191364| I: ParseErrorsWarningsFromPreUpgradeOutput: Error messages: Error: vCenter CA cerfificate not verified. Stopping.
    Resolution: Please use the vCenter Upgrade Logs to get more details of this error.
    2016-11-08 15:31:13.279Z| migration-assistant-4191364| I: ParseErrorsWarningsFromPreUpgradeOutput: Parsed 1 warning messages.
    2016-11-08 15:31:13.279Z| migration-assistant-4191364| I: ParseErrorsWarningsFromPreUpgradeOutput: Warning messages: Warning: This vCenter Server has extensions registered that cannot be upgraded to or may not work with the new vCenter Server.
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.


Environment

VMware vCenter Server 5.5.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 6.0.x

Cause

This issue occurs if vCenter certificate cacert.pem is not located in C:\ProgramData\VMware\VMware VirtualCenter\SSL.

Resolution

Resolution of the issue "Error: vCenter CA certificate not verified. Stopping":

To resolve the issue "Error: vCenter CA certificate not verified. Stopping" follow the steps below:

Step 1: Create a new cacert.pem file signed by the Custom CA Certificate:

  1. Create a new cacert.pem with vCenter certificate and root certificate (if intermediate is present, add the intermediate as well)
  2. Save the above file as cacert.pem under C:\ProgramData\VMware\VMware VirtualCenter\SSL.
  3. Re-run the migration tool again.

Step 2: Create a new cacert.pem file signed by the VMCA

  1. Create the cfg file using below template
[ req ]
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = DNS:vc.local, DNS:vc
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = State
localityName = City
0.organizationName = Company
organizationalUnitName = IT
commonName = vc.local

Note: Change DNS, CommonName, Sate,City,Company,OrganizationUnitName, where ever required.
 
  1. Create the csr and key file using the below command:

    Note: Openssl.exe file is available in this location in vCenter Server 5.5: C:\Program Files\VMware\Infrastructure\Inventory Service\bin

    openssl.exe req -new -nodes -out "C:\ProgramData\VMware\VMware VirtualCenter\SSL\rui.csr" -newkey rsa:2048 -keyout "C:\ProgramData\VMware\VMware VirtualCenter\SSL\rui.key" -config "C:\ProgramData\VMware\VMware VirtualCenter\SSL\rui.cfg"
     
  2. Create the certificate using below command,

    openssl.exe x509 -req -days 3650 -in "C:\ProgramData\VMware\VMware VirtualCenter\SSL\rui.csr" -out "C:\ProgramData\VMware\VMware VirtualCenter\SSL\rui.crt" -CA "C:\ProgramData\VMware\CIS\data\vmca\root.cer" -CAkey "C:\ProgramData\VMware\CIS\data\vmca\privatekey.pem" -extensions v3_req -CAcreateserial -extfile "C:\ProgramData\VMware\VMware VirtualCenter\SSL\rui.cfg"
  1. Run the command:

    vpxd -p
  1. Go to location C:\ProgramData\VMware\CIS\data\vmca.
  2. Copy privatekey.pem and root.cer files and paste into the location C:\ProgramData\VMware\VMware VirtualCenter\SSL\. Rename the root.cer file to cacert.pem
  3. Reload the certificate from the mob page, navigate to below url
    • http://localhost/mob/?moid=vpxd-securitymanager&vmodl=1
    • https:///mob/?moid=vpxd-securitymanager&vmodl=1
  4. Enter a vCenter Server administrator or [email protected] username and password when prompted.
  5. Click reloadSslCertificate.
  6. Click Invoke Method. If successful, the window shows this message: Method Invocation Result: void.
  7. Change to the vCenter Server directory. By default, this is C:\Program Files\VMware\Infrastructure\VirtualCenter Server\.
  8. Restart the VMware VirtualCenter Server service from the service control manager (services.msc).
  9. Restart the VMware vSphere Profile Driven Storage Service. Ensure if the VMware VirtualCenter Management Webservices service is started.


Additional Information

Configuring CA signed certificates for vCenter Server 5.5
“Failed to verify the SSL certificate" after upgrading to vCenter Server 5.5 U1 or later

Powered by Wolken Software