vCenter SHA-1 validation Upgrade Precheck fails due to HCX VM.
search cancel

vCenter SHA-1 validation Upgrade Precheck fails due to HCX VM.

book

Article ID: 377581

calendar_today

Updated On:

Products

VMware SDDC Manager VMware HCX

Issue/Introduction

This article provides a solution to address the certificate validation error when HCX VM is installed in the vCenter.

Symptoms:

  • vSphere SHA-1 Validation is failing with the following error:

  • Executing the script provided in article Upgrading vCenter Server or ESXi 8.0 fails during precheck due to a weak certificate signature algorithm does not report any certificate with weak algorithm in the vCenter VECS store

  • The environment is using HCX VM. HCX mobilityagent logs contains errors similar to the excerpt below:

    info mobilityagent[02425] [Originator@6876 sub=Solo.Vmomi opID=########-#### user=:VSPHERE.LOCAL\Administrator] Activation <<########-####-####-####-############, <TCP '127.0.0.1 : 8307'>, <TCP '127.0.0.1 : 36042'>>, ha-certificate-manager, vim.host.CertificateManager.listCACertificates, <vim.version.v8_0_2_0, internal, 8.0.2.0>, [N11HostdCommon18VmomiAdapterServer19ActivationResponderE:0x00007f6b5c009188]> : Invoke done [listCACertificates] on [vim.host.CertificateManager:ha-certificate-manager]
    info mobilityagent[02425] [Originator@6876 sub=Solo.Vmomi opID=########-#### user=:VSPHERE.LOCAL\Administrator] Throw vmodl.fault.SecurityError
    info mobilityagent[02425] [Originator@6876 sub=Solo.Vmomi opID=########-#### user=:VSPHERE.LOCAL\Administrator] Result:
    --> (vmodl.fault.SecurityError) {
    -->    faultCause = (vmodl.MethodFault) null, 
    -->    faultMessage = <unset>
    -->    msg = ""
    --> }

Environment

  • VMware Cloud foundation 5.1
  • VMware HCX

Cause

HCX deploys an ESX Virtual Machine which is not the usual ESX. It doesn't support some of the APIs like ListCACertificates() which the script calls to run checks.

So when the script runs against HCX ESX Virtual Machine, it fails to retrieve the certificates and throws error "Caught exception while validating host XXX-HCX-ESX-IP: Access to perform the operation was denied."

Resolution

To resolve the issue, remove the HCX VM and retry the precheck.

Workaround
IMPORTANT NOTE: Make sure that backup/snapshots have been taken prior to any modification.

  1. Take a snapshot of SDDC Manager without memory.
  2. Backup the original file:
    • cp /opt/vmware/vcf/operationsmanager/scripts/assessment/common-validations/vsphere8_upgrade_certificate_checks.py /root/vsphere8_upgrade_certificate_checks.py.backup
  3. Copy the file vsphere8_upgrade_certificate_checks.py.new attached to the article in SDDC manager /tmp folder using WinSCP.
  4. Change the permissions and group for vsphere8_upgrade_certificate_checks.py.new file.
    • chmod 555 vsphere8_upgrade_certificate_checks.py.new
    • chown vcf_operationsmanager:vcf vsphere8_upgrade_certificate_checks.py.new
  5. Replace the original file using the command:
    • cp /tmp/vsphere8_upgrade_certificate_checks.py.new /opt/vmware/vcf/operationsmanager/scripts/assessment/common-validations/vsphere8_upgrade_certificate_checks.py
  6. Validate the permission of the file:
    • ls -lha /opt/vmware/vcf/operationsmanager/scripts/assessment/common-validations/vsphere8_upgrade_certificate_checks.py
    • It must be: -rw-rw-r-- 1 vcf_operationsmanager vcf
  7. Run the SDDC manager pre-check.

Attachments

vsphere8_upgrade_certificate_checks.py.new get_app
Powered by Wolken Software