Spherelet version compatibility and SHA-1 validation certificate prechecks are failing on the SDDC manager.
Article ID: 381003
Updated On:
Products
Issue/Introduction
Symptoms:
- When running the vCenter upgrade prechecks on the SDDC manager GUI both the Spherelet version compatibility and the SHA-1 validation are failing with the following errors:
There is an error while performing spherelet version compatibility precheck: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1007)High: Do not perform upgrade without addressing this issue.Check log at /var/log/vmware/vcf/operationsmanager/assessment/pythonvalidations/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/artifacts/spherelet-version-mismatch-precheck-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx-log.txt.vSphere SHA-1 validation failedHigh: Do not perform upgrade without addressing this issue.Check the /var/log/vmware/vcf/operationsmanager/assessment/pythonvalidations/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/artifacts/vsphere-sha1-validation-execution-error-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.txt file for more details. If that file contains error code 'rpc_s_connection_closed' then please retry the precheck as it could not connect to verify whether weak algorithms (e.g. SHA-1) are in use on the vCenter.
- The vCenter does not report any invalid certificate when running the certificate verification Standalone Precheck Script
- vSphere for Tanzu is not installed in the vCenter.
- When we verify the precheck logs spherelet-version-mismatch-precheck.log.txt and vsphere-sha1-validation-execution-error.txt retrieved from the prechecks error messages we are seeing the following error:
ERROR Caught exception: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1007)Traceback (most recent call last):File "/opt/vmware/vcf/operationsmanager/scripts/assessment/common-validations/vsphere8_upgrade_certificate_checks.py", line 668, in validate_all_esx_hostssi = get_si(cert_store)File "/opt/vmware/vcf/operationsmanager/scripts/assessment/common-validations/vsphere8_upgrade_certificate_checks.py", line 344, in get_sisi = SmartConnect(host=server, port=port_number,File "/opt/vmware/vcf/operationsmanager/scripts/assessment/2x-migration/lib/third-party/pyvmomi-7.0.1/pyVim/connect.py", line 842, in SmartConnectsupportedVersion = __FindSupportedVersion(protocol,File "/opt/vmware/vcf/operationsmanager/scripts/assessment/2x-migration/lib/third-party/pyvmomi-7.0.1/pyVim/connect.py", line 720, in __FindSupportedVersionserviceVersionDescription = __GetServiceVersionDescription(protocol,File "/opt/vmware/vcf/operationsmanager/scripts/assessment/2x-migration/lib/third-party/pyvmomi-7.0.1/pyVim/connect.py", line 641, in __GetServiceVersionDescriptiontree = __GetElementTree(protocol, server, port,File "/opt/vmware/vcf/operationsmanager/scripts/assessment/2x-migration/lib/third-party/pyvmomi-7.0.1/pyVim/connect.py", line 608, in __GetElementTreeconn.request("GET", path)File "/usr/lib/python3.10/http/client.py", line 1283, in requestself._send_request(method, url, body, headers, encode_chunked)File "/usr/lib/python3.10/http/client.py", line 1329, in _send_requestself.endheaders(body, encode_chunked=encode_chunked)File "/usr/lib/python3.10/http/client.py", line 1278, in endheadersself._send_output(message_body, encode_chunked=encode_chunked)File "/usr/lib/python3.10/http/client.py", line 1038, in _send_outputself.send(msg)File "/usr/lib/python3.10/http/client.py", line 976, in sendself.connect()File "/usr/lib/python3.10/http/client.py", line 1455, in connectself.sock = self._context.wrap_socket(self.sock,File "/usr/lib/python3.10/ssl.py", line 513, in wrap_socketreturn self.sslsocket_class._create(File "/usr/lib/python3.10/ssl.py", line 1071, in _createself.do_handshake()File "/usr/lib/python3.10/ssl.py", line 1342, in do_handshakeself._sslobj.do_handshake()ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1007)
Environment
VMware SDDC Manager 5.1.x
VMware SDDC Manager 4.x
Cause
The prechecks are failing with an exception as SDDC manager is not able to establish a trusted connection to the vCenter to retrieve the VMware Endpoint Certificate Store (VECS) information.
This issue might occur if the vCenter Certificates has been replaced outside of SDDC Manager.
Resolution
Add the CA signing the vCenter Certificate to the SDDC Manager trust store to re-establish the trust between both parties.
Once trust has been established between the SDDC manager and the vCenter reattempt the prechecks.
To achieve the task use one of the following procedures:
- Using the SDDC Manager UI:
Add a Trusted Certificate to the SDDC Manager Trust Store
(This functionality is available in VMware Cloud Foundation 4.5.1 and later) - From the SDDC manager command line using one of the following KB articles:
- For VMCA signed certificates:
How to import the vCenter root certificate into the SDDC manager TrustStore - For Custom CA signed Certificates:
How to add/delete Custom CA Certificates to SDDC Manager and Common Services trust stores
- For VMCA signed certificates:
- Manual procedure to export the certificate from vCenter and import to SDDC manager:
(Needs to applied for the full chain of trust of the certificate, Root CA and any sub-CAs)
A. To retrieve the CA from the VECS (in case you don't have the .PEM file available):
-
-
-
- Login to the vCenter on SSH
- Retrieve the list of certificates from the Trusted Root store using the following command:
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text - Identify the issuing CA (and any subCA if applicable) from the list and note the aliases.
- Export the CA certificates to file:
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store TRUSTED_ROOTS --alias <CA-Alias> --output /tmp/<CA-name>.crt
Note: Replace <CA-Alias> and <CA-name> accordingly with the information retrieved from step 3. Repeat for any SubCA if applicable. - Retrieve the .crt files using a file transfer utility
- Login to the vCenter on SSH
-
-
B. To import in SDDC manager:
-
-
-
- Use any file transfer utility to copy root CA certificate file to the /tmp directory on the SDDC-Manager VM.
SSH to SDDC-Manager and change to the root user:su - Run the below command to get commonsvcs truststore password
cat /etc/vmware/vcf/commonsvcs/trusted_certificates.key - Use the following command to import root CA to commonsvcs truststore:
keytool -importcert -alias <aliasname> -file <certificate file> -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store
Note: <aliasname> : This can be any user defined name. <certificate file> : Provide the path of root CA Certificate - When prompted, provide the password to add certificate to truststore obtained in step 2.
- Type yes when prompted to trust the certificate.
- Verify if new root CA is added to common services truststore, enter the password for truststore key obtained in step 2.
keytool -list -v -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store - Use the following command to import root CA to SDDC-Manager truststore:
keytool -importcert -alias <aliasname> -file <certificate file> -keystore /etc/alternatives/jre/lib/security/cacerts
Note:<aliasname>: This can be any user defined name.<certificate file>: Provide the path of root CA Certificate - When prompted, provide the password to add certificate to truststore.
- Type yes when prompted to trust the certificate.
- Verify if new root CA is added to SDDC-Manager truststore.
keytool -list -v -keystore /etc/alternatives/jre/lib/security/cacerts
- After importing CA certificate to the truststore, refresh the trusted certificates using the API from the SDDC-Manager
curl -X POST localhost/appliancemanager/trustedCertificates/refresh
- Use any file transfer utility to copy root CA certificate file to the /tmp directory on the SDDC-Manager VM.
-
-
Additional Information
In some occasions we might need also to update the SSH host keys on the SDDC Manager to establish the connection:
How to update the SSH host keys on the SDDC Manager
Feedback
