Symptoms:
There is an error while performing spherelet version compatibility precheck: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1007)
High: Do not perform upgrade without addressing this issue.Check log at /var/log/vmware/vcf/operationsmanager/assessment/pythonvalidations/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/artifacts/spherelet-version-mismatch-precheck-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx-log.txt.
vSphere SHA-1 validation failed
High: Do not perform upgrade without addressing this issue.Check the /var/log/vmware/vcf/operationsmanager/assessment/pythonvalidations/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/artifacts/vsphere-sha1-validation-execution-error-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.txt file for more details. If that file contains error code 'rpc_s_connection_closed' then please retry the precheck as it could not connect to verify whether weak algorithms (e.g. SHA-1) are in use on the vCenter.
ERROR Caught exception: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1007)
Traceback (most recent call last):
File "/opt/vmware/vcf/operationsmanager/scripts/assessment/common-validations/vsphere8_upgrade_certificate_checks.py", line 668, in validate_all_esx_hosts
si = get_si(cert_store)
File "/opt/vmware/vcf/operationsmanager/scripts/assessment/common-validations/vsphere8_upgrade_certificate_checks.py", line 344, in get_si
si = SmartConnect(host=server, port=port_number,
File "/opt/vmware/vcf/operationsmanager/scripts/assessment/2x-migration/lib/third-party/pyvmomi-7.0.1/pyVim/connect.py", line 842, in SmartConnect
supportedVersion = __FindSupportedVersion(protocol,
File "/opt/vmware/vcf/operationsmanager/scripts/assessment/2x-migration/lib/third-party/pyvmomi-7.0.1/pyVim/connect.py", line 720, in __FindSupportedVersion
serviceVersionDescription = __GetServiceVersionDescription(protocol,
File "/opt/vmware/vcf/operationsmanager/scripts/assessment/2x-migration/lib/third-party/pyvmomi-7.0.1/pyVim/connect.py", line 641, in __GetServiceVersionDescription
tree = __GetElementTree(protocol, server, port,
File "/opt/vmware/vcf/operationsmanager/scripts/assessment/2x-migration/lib/third-party/pyvmomi-7.0.1/pyVim/connect.py", line 608, in __GetElementTree
conn.request("GET", path)
File "/usr/lib/python3.10/http/client.py", line 1283, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/usr/lib/python3.10/http/client.py", line 1329, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/usr/lib/python3.10/http/client.py", line 1278, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/usr/lib/python3.10/http/client.py", line 1038, in _send_output
self.send(msg)
File "/usr/lib/python3.10/http/client.py", line 976, in send
self.connect()
File "/usr/lib/python3.10/http/client.py", line 1455, in connect
self.sock = self._context.wrap_socket(self.sock,
File "/usr/lib/python3.10/ssl.py", line 513, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.10/ssl.py", line 1071, in _create
self.do_handshake()
File "/usr/lib/python3.10/ssl.py", line 1342, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1007)
VMware SDDC Manager 5.1.x
VMware SDDC Manager 4.x
The prechecks are failing with an exception as SDDC manager is not able to establish a trusted connection to the vCenter to retrieve the VMware Endpoint Certificate Store (VECS) information.
This issue might occur if the vCenter Certificates has been replaced outside of SDDC Manager.
Add the CA signing the vCenter Certificate to the SDDC Manager trust store to re-establish the trust between both parties.
Once trust has been established between the SDDC manager and the vCenter reattempt the prechecks.
To achieve the task use one of the following procedures:
A. To retrieve the CA from the VECS (in case you don't have the .PEM file available):
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store TRUSTED_ROOTS --alias <CA-Alias> --output /tmp/<CA-name>.crt
B. To import in SDDC manager:
su
cat /etc/vmware/vcf/commonsvcs/trusted_certificates.key
keytool -importcert -alias <aliasname> -file <certificate file> -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store
keytool -list -v -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store
keytool -importcert -alias <aliasname> -file <certificate file> -keystore /etc/alternatives/jre/lib/security/cacerts
<aliasname>
: This can be any user defined name. <certificate file>
: Provide the path of root CA Certificatekeytool -list -v -keystore /etc/alternatives/jre/lib/security/cacerts
curl -X POST localhost/appliancemanager/trustedCertificates/refresh
In some occasions we might need also to update the SSH host keys on the SDDC Manager to establish the connection:
How to update the SSH host keys on the SDDC Manager