vCenter upgrade to 8 Pre-Check fails with error "Failed to get server certificate for validation"
search cancel

vCenter upgrade to 8 Pre-Check fails with error "Failed to get server certificate for validation"

book

Article ID: 371912

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

vCenter upgrade to 8 fails during Pre-Check with the below error.

"Error Failed to get server certificate for validation

Resolution Make sure that the sso service is reachable and started before continuing"

 

Cause

This issue is seen when port 7444 is not accessible on the vCenter.

To verify if port 7444 is accessible, run the below command

root@vcsa01 [ ~ ]# curl -vvv -k https://127.0.0.1:7444
*   Trying 127.0.0.1:7444...
* Connected to 127.0.0.1 (127.0.0.1) port 7444 (#0)
* ALPN: offers http/1.1

 

If the above command fails to connect, it means that port 7444 is blocked on the vCenter.

To check for any firewall on vCenter, check the iptables using the below command.

iptables -L | grep -i 7444
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7444
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7444

In this case, we can see two drop rules for port 7444.

 

Resolution

1. Remove any firewall set for port 7444 on the vCenter.

2. To edit iptables and remove the firewall, follow below steps.

Export the firewall rule using : iptables-save > /var/tmp/iptables.rules.default

Edit the file, remove the entry and save the file : vi /var/tmp/iptables.rules.default

cat or less the file again and make sure that the entry is gone.

Now restore the firewall rule by : iptables-restore < /var/tmp/ iptables.rules.default

Run iptables -nL command again and make sure the rule is not there

3. Run the curl command and test the connection on port 7444.

curl -vvv -k https://127.0.0.1:7444

4. Retry the upgrade.