vCenter SHA-1 validation Upgrade Precheck fails due to HCX VM.
search cancel

vCenter SHA-1 validation Upgrade Precheck fails due to HCX VM.

book

Article ID: 377581

calendar_today

Updated On:

Products

VMware SDDC Manager VMware HCX

Issue/Introduction

This article provides a solution to address the certificate validation error when HCX VM is installed in the vCenter.


Symptoms:

  • vSphere SHA-1 Validation is failing with the following error:

  • Executing the script provided in article Upgrading vCenter Server or ESXi 8.0 fails during precheck due to a weak certificate signature algorithm does not report any certificate with weak algorithm in the vCenter VECS store


  • The environment is using HCX VM. HCX mobilityagent logs contains errors similar to the excerpt below:

    info mobilityagent[02425] [Originator@6876 sub=Solo.Vmomi opID=########-#### user=:VSPHERE.LOCAL\Administrator] Activation <<########-####-####-####-############, <TCP '127.0.0.1 : 8307'>, <TCP '127.0.0.1 : 36042'>>, ha-certificate-manager, vim.host.CertificateManager.listCACertificates, <vim.version.v8_0_2_0, internal, 8.0.2.0>, [N11HostdCommon18VmomiAdapterServer19ActivationResponderE:0x00007f6b5c009188]> : Invoke done [listCACertificates] on [vim.host.CertificateManager:ha-certificate-manager]
    info mobilityagent[02425] [Originator@6876 sub=Solo.Vmomi opID=########-#### user=:VSPHERE.LOCAL\Administrator] Throw vmodl.fault.SecurityError
    info mobilityagent[02425] [Originator@6876 sub=Solo.Vmomi opID=########-#### user=:VSPHERE.LOCAL\Administrator] Result:
    --> (vmodl.fault.SecurityError) {
    -->    faultCause = (vmodl.MethodFault) null, 
    -->    faultMessage = <unset>
    -->    msg = ""
    --> }

Environment

VMware Cloud foundation 5.1
VMware HCX

Resolution

To resolve the issue remove the HCX VM and retry the precheck.

Workaround

IMPORTANT NOTE: Make sure that backup/snapshots have been taken prior to any modification.

  1. Take a snapshot of SDDC Manager without memory.

  2. Backup the original file: /opt/vmware/vcf/operationsmanager/scripts/assessment/common-validations/vsphere8_upgrade_certificate_checks.py to /root/vsphere8_upgrade_certificate_checks.py.backup folder.

    cp /opt/vmware/vcf/operationsmanager/scripts/assessment/common-validations/vsphere8_upgrade_certificate_checks.py /root/vsphere8_upgrade_certificate_checks.py.backup

  3. Copy the file vsphere8_upgrade_certificate_checks.py.new attached to the article in SDDC manager /tmp folder using WinSCP.

  4. Change the permissions and group for vsphere8_upgrade_certificate_checks.py.new file.

    chmod 555 vsphere8_upgrade_certificate_checks.py.new

    chown vcf_operationsmanager:vcf vsphere8_upgrade_certificate_checks.py.new

  5. Replace the original file using the command:

    cp /tmp/vsphere8_upgrade_certificate_checks.py.new /opt/vmware/vcf/operationsmanager/scripts/assessment/common-validations/vsphere8_upgrade_certificate_checks.py


  6. Validate the permission of the file:

    ls -lha /opt/vmware/vcf/operationsmanager/scripts/assessment/common-validations/vsphere8_upgrade_certificate_checks.py

    It must be: vcf_operationsmanager vcf

  7. Run the SDDC manager pre-check.

Attachments

vsphere8_upgrade_certificate_checks.py.new get_app
Powered by Wolken Software