"Cannot execute upgrade script on host” error while upgrading ESXi from 7.0U3 to 8.0U2d using Custom Image
search cancel

"Cannot execute upgrade script on host” error while upgrading ESXi from 7.0U3 to 8.0U2d using Custom Image

book

Article ID: 375707

calendar_today

Updated On:

Products

VMware vSphere ESXi 7.0 VMware vSphere ESXi 8.0 VMware vCenter Server 7.0 VMware vCenter Server 8.0

Issue/Introduction

  • "Cannot execute upgrade script on host" error seen while upgrading Host via lifecycle manager.
  • Lifecycle Manager fails to upgrade host with custom baseline group configured.
  • While upgrading the ESXi from CLI using the custom offline bundle, it still fails with "profile validation" error.
  • Upon checking the "profile validation" on the ESXi host, we see the following error:-

YYYY-MM-DDTHH:MM:SS:MSECZ esxupdate: 10031191: root: INFO: Options = {'depot': None, 'viburl': None, 'nameid': None, 'profile': None, 'baseimageversion': None, 'addon': None, 'softwarespec': None, 'level': None, 'updateonly': False, 'noliveinstall': False, 'nomaintmode': False, 'force': False, 'dryrun': False, 'oktoremove': False, 'proxy': None, 'nosigcheck': False, 'pending': None, 'rebooting': False, 'downgrade': None, 'nohwwarning': False}
YYYY-MM-DDTHH:MM:SSZ  esxupdate: 10031191: HostImage: INFO: Installers initiated are {'live': <vmware.esximage.Installer.LiveImageInstaller.LiveImageInstaller object at 0x9fea39d160>, 'boot': <vmware.esximage.Installer.BootBankInstaller.BootBankInstaller object at 0x9fea50d220>, 'locker': <vmware.esximage.Installer.LockerInstaller.LockerInstaller object at 0x9fea39d3d0>}
YYYY-MM-DDTHH:MM:SSZ  esxupdate: 10034336: vmware.esximage.Vib: DEBUG: Verifying VIB VMW_bootbank_mtip32xx-native_3.9.8-1vmw.703.0.20.19193900 signature #2
YYYY-MM-DDTHH:MM:SSZ  esxupdate: 10034336: vmware.esximage.Vib: ERROR: Failed to verify VIB signature #2: ('VMW_bootbank_mtip32xx-native_3.9.8-1vmw.703.0.20.19193900', 'Could not find a trusted signer: self signed certificate')

Note : In the above events, after the "Installers initiated" event, we see multiple events for failed to verify VIB signature for all the VIBs in the image.

Environment

  • VMware vSphere ESXi 7.x
  • VMware vSphere ESXi 8.x

Cause

  • This error occurs because the upgrade process encounters a VIB that fails signature verification. In this specific case, the VMW_bootbank_mtip32xx-native VIB is signed with a self-signed certificate that is not trusted by the host.
  • During a Lifecycle Manager upgrade, ESXi requires all VIBs to be signed by a trusted VMware or partner certificate authority. If the signature cannot be validated, the upgrade is blocked to maintain system integrity and security.

Resolution

Steps to update profile in ESXi host: 

  • Update the current profile of the ESXi
    • esxcli software sources profile list  -d /vmfs/volumes/DATASTORE/ZIP 
    • esxcli software profile update -d /vmfs/volumes/DATASTORE/ZIP -p Image_Profile_from_aboveoutput 
  • If the above command gives an error, try the below command:
    • esxcli software sources profile list -d /vmfs/volumes/datastore1/ESXi710_2100087.zip
    • esxcli software profile install -d /vmfs/volumes/DATASTORE/ZIP -p Image_Profile_from_aboveoutput 
  • Following the profile re-install, retry the ESXi upgrade from LCM using the baseline group.
  • Host will be upgraded successfully.
Powered by Wolken Software