vCenter upgrade to 8 Pre-Check fails with error "Failed to get server certificate for validation"
Article ID: 371912
Updated On:
Products
Issue/Introduction
vCenter upgrade to 8 fails during Pre-Check with the below error.
"Error Failed to get server certificate for validation
Resolution Make sure that the sso service is reachable and started before continuing"
Cause
- The source vCenter certificate subject is missing a CN value.
- This issue is seen when port 7444 is not accessible on the vCenter.
Resolution
1. Ensure that the source vCenter being upgraded has a certificate subject with a CN value.
2. Repair port 7444
- To verify if port 7444 is accessible, run the below command
root@vcsa01 [ ~ ]# curl -vvv -k https://127.0.0.1:7444* Trying 127.0.0.1:7444...* Connected to 127.0.0.1 (127.0.0.1) port 7444 (#0)* ALPN: offers http/1.1
If the above command fails to connect, it means that port 7444 is blocked on the vCenter.
- To check for any firewall on vCenter, check the iptables using the below command.
iptables -L | grep -i 7444DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7444DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7444
In this case, we can see two drop rules for port 7444. To resolve, remove the rules in question.
1. Remove any firewall set for port 7444 on the vCenter.
2. To edit iptables and remove the firewall, follow below steps.
Export the firewall rule using: iptables-save > /var/tmp/iptables.rules.default
Edit the file, remove the entry, and save the file: vi /var/tmp/iptables.rules.default
cat or less the file again and make sure that the entry is gone.
Now restore the firewall rule by: iptables-restore < /var/tmp/ iptables.rules.default
Run iptables -L command again and make sure the rule is not there
3. Run the curl command and test the connection on port 7444.
curl -vvv -k https://127.0.0.1:7444
4. Retry the upgrade.
- If no firewall rules reference port 7444, check to see what services are listening on port 7444 on the vCenter appliance:
# netstat -anp | grep LISTEN | grep stsd
Healthy output should look like:
[email protected] [ ~ ]# netstat -anp | grep LISTEN | grep stsd
tcp 0 0 0.0.0.0:33501 0.0.0.0:* LISTEN 42060/vmware-stsd.l
tcp 0 0 0.0.0.0:41407 0.0.0.0:* LISTEN 42060/vmware-stsd.l
tcp 0 0 0.0.0.0:7080 0.0.0.0:* LISTEN 42060/vmware-stsd.l
[email protected] [ ~ ]# netstat -anp | grep 7444
tcp 0 0 127.0.0.1:57444 127.0.0.1:443 ESTABLISHED 48007/wcpsvc
tcp 0 0 127.0.0.1:443 127.0.0.1:57444 ESTABLISHED 41261/envoy
- If the output above does not show stsd listening on port 7444, check /usr/lib/vmware-sso/vmware-sts/conf/catalina.properties for the lines containing the port specification, towards the end of the file. The relevant section should look like:
base.shutdown.port=-1
bio-custom.http.port=7080
bio-custom.https.port=8443
bio-ssl-clientauth.https.port=3128
bio-ssl-localhost.https.port=7444
- If this section does not contain a clean line for port 7444, for example, see below:
base.shutdown.port=-1
bio-custom.http.port=7080
bio-custom.https.port=8443
bio-ssl-localhost.https.port=7444org.apache.catalina.startup.EXIT_ON_INIT_FAILURE=true
- Make a backup of the existing catalina.properties file:
cp /usr/lib/vmware-sso/vmware-sts/conf/catalina.properties /usr/lib/vmware-sso/vmware-sts/conf/catalina.properties.bak
- Edit the broken line to conform to the healthy example:
bio-ssl-localhost.https.port=7444
- Save the catalina.properties file.
- Restart the stsd service in vCenter:
service-control --stop vmware-stsd
service-control --start vmware-stsd
- Retry the upgrade.
Feedback
