vCenter Server upgrade fails with error: "The source host thumbprint is different than the provided one"
search cancel

vCenter Server upgrade fails with error: "The source host thumbprint is different than the provided one"

book

Article ID: 373348

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

During a vCenter Server upgrade, the process may fail at Stage 2 with the error message: "Pre-upgrade check result: Error - The source host thumbprint is different than the provided one."

Environment



Cause

This error typically occurs due to network connectivity issues between the newly deployed vCenter Server and the source environment. Common causes include:

  1. Firewall restrictions blocking communication between the new and old vCenter Servers or ESXi hosts.
  2. DNS resolution problems preventing proper name resolution.
  3. Network configuration changes during the upgrade process.
  4. DRS automatically moving the new vCenter VM to a different host when powering on during the upgrade process, causing a mismatch in expected host thumbprints.

Resolution

Option 1: Verify network connectivity:

    1. From the jump host, ping the temporary IP address assigned to the new vCenter Server.
    2. From the jump host, ping the source vCenter Server and all the ESXi hosts.
    3. From the new vCenter Server, ping the source vCenter Server and all ESXi hosts from in the source vCenter.

Option 2: Check firewall settings:

    1. Review firewall rules on the network between the jump host, new vCenter Server, source vCenter Server, and ESXi hosts.
    2. Ensure that required ports for vCenter Server communication are open.

      For more information, refer
      TCP and UDP ports required to access VMware vCenter Server
      Port requirements for VMware vSphere ESXi



Option 3: Verify DNS settings:

    1. Check DNS resolution for all involved systems (jump host, source vCenter Server, ESXi hosts).
    2. Update DNS records if necessary to ensure proper name resolution.

                  Note: DNS record must not be updated for the new vCenter, as it will create conflict in DNS resolution with the source vCenter.



Option 4: Use consistent deployment targets:

               Use the same deployment target (ESXi host or vCenter Server) for both Stage 1 and Stage 2 of the upgrade process.


Option 5: Adjust DRS settings:

    1. Set the DRS automation level to "Manual" for the cluster where the new vCenter Server is being deployed.
    2. Or create a DRS rule to keep the new vCenter Server VM on its original deployment host during the upgrade process.

Option 6: Regenerate SSL certificates if needed:

                If certificate issues persist, consider regenerating SSL certificates for the involved systems. For more information refer  Using vSphere Certificate Manager to Replace SSL Certificates


Option 7: If all the above options are normal, then retry the upgrade from Stage1.

              Redeploy the target VCSA appliance and use a vCenter Server address as source and target VM destinations

    1. Restart the VCSA deployment from Stage 1.
    2. Proceed to "Connect to Source Appliance" page of the UI Installer.
    3. Under "ESXi Host or vCenter Server that manages the source appliance" provided the vCenter Server and SSO credentials instead of an ESXi host.
    4. Proceed to "vCenter Server Deployment Target" page of the UI installer.
    5. For the target provide the vCenter Server and SSO credentials that manages the desired target ESXi host, you will be prompted on the next page to select the cluster and host. And finish the rest of Stage 1 as done previously.

 

Option 8: In the logs it is mentioned the right thumbprint which is my case was the host thumbprint XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX but it needs to be in the colons format (XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX) so you can create it manually from logs or follow the next steps.

                To get the host thumbprint and apply them on both Source and Target (Newly deployed node) vCenters do the following:

    1. SSH to the ESXi Host where both vCenters resides.
    2. Go to cd /etc/vmware/ssl path and type the below command:

                  openssl x509 -in rui.crt -fingerprint

              3. Confirm that the thumbprint on both vCenters if it matches the hosts they reside on by using below command.

                  install-parameter upgrade.source.ssl.thumbprint

              4. Take the fingerprint output in step 2 and add it to this command then run it from vCenter's SSH (apply the thumbprint of each vCenter regarding to the hosts it resides on):

                  install-parameter upgrade.source.ssl.thumbprint -s "Thumb_Print"

                 (Example: install-parameter upgrade.source.ssl.thumbprint -s "XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX")

                5. Re-run the pre-checks and proceed further.

 

Option 9: Engage network team:

                If network issues are suspected, involve your network team to investigate and resolve any potential routing or firewall problems.

Powered by Wolken Software