Pre-check error while upgrading domain using SDDC "vSphere SHA-1 validation failed"
search cancel

Pre-check error while upgrading domain using SDDC "vSphere SHA-1 validation failed"

book

Article ID: 385666

calendar_today

Updated On:

Products

VMware SDDC Manager

Issue/Introduction

Prechecks during preparation for an SDDC upgrade to 5.x can give an error with the message:

ERROR vSphere SHA-1 validation failed
High: Do not perform upgrade without addressing this issue.
Check the /var/log/vmware/vcf/operationsmanager/assessment/pythonvalidations/########-####-####-############/artifacts/vsphere-sha1-validation-execution-error-########-####-####-############.txt file for more details. If that file contains error code 'rpc_s_connection_closed' then please retry the precheck as it could not connect to verify whether weak algorithms (e.g. SHA-1) are in use on the vCenter.

Environment

SDDC Version 5.x

Cause

Referencing the log file mentioned in the error, we find a message similar to the one below:

/opt/vmware/vcf/operationsmanager/scripts/assessment/2x-migration/lib/third-party/pyvmomi-7.0.1/pyVmomi/Version.py:26: SyntaxWarning: "is" with a literal. Did you mean "=="?
  if isLegacy or ns is "":
YYYY-MM-DD HH:MM:SS.SSSZ ERROR Error: Failed to trigger root cert refresh

vecs-cli failed. Error 382312694: Access denied, reason = rpc_s_auth_method (0x16c9a0f6).
YYYY-MM-DD HH:MM:SS.SSSZ ERROR Failed to refresh vecs store.
 Error: Error: Failed to trigger root cert refresh

vecs-cli failed. Error 382312694: Access denied, reason = rpc_s_auth_method (0x16c9a0f6).

The key error to look for being:

YYYY-MM-DD HH:MM:SS.SSSZ ERROR Failed to refresh vecs store.
 Error: Error: Failed to trigger root cert refresh

 

Resolution

Within the VECS store, the refresh function has fallen out of sync; a manual refresh is required on the vCenter appliance.

  1. Take a snapshot of the vCenter Appliance. Need to take the offline snapshot for all of ELM vCenter Server. See also VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice
  2. SSH using root to the vCenter.
  3. Run the following command:
    # /usr/lib/vmware-vmafd/bin/vecs-cli force-refresh

Proceed to run the precheck once more and the error should be cleared.

Additional Information

The command below is useful for  verification :

SSH to vCenter and run the below command:
 
 
echo | openssl s_client -connect localhost:443 2>/dev/null | \ openssl x509 -noout -text | grep "Signature Algorithm"
 
 

What it helps with:

  • Confirms whether the currently served vCenter certificate is SHA-1 or SHA-256

  • Useful before or after vecs-cli force-refresh

 

Powered by Wolken Software