VCF SDDC Manager upgrade pre-check fails with "vSphere SHA-1 validation failed"
search cancel

VCF SDDC Manager upgrade pre-check fails with "vSphere SHA-1 validation failed"

book

Article ID: 385666

calendar_today

Updated On:

Products

VMware SDDC Manager

Issue/Introduction

  • During preparation for a VMware Cloud Foundation (VCF) 5.x upgrade, the SDDC Manager pre-check may fail with the following error: 
    ERROR vSphere SHA-1 validation failed
High: Do not perform upgrade without addressing this issue.
Check the /var/log/vmware/vcf/operationsmanager/assessment/pythonvalidations/########-####-####-############/artifacts/vsphere-sha1-validation-execution-error-########-####-####-############.txt file for more details.

Environment

VMware Cloud Foundation 5.x

Cause

  • The specified log file contains messages similar to the following: 
    /opt/vmware/vcf/operationsmanager/scripts/assessment/2x-migration/lib/third-party/pyvmomi-7.0.1/pyVmomi/Version.py:26: SyntaxWarning: "is" with a literal. Did you mean "=="?
  if isLegacy or ns is "":
YYYY-MM-DD HH:MM:SS.SSSZ ERROR Error: Failed to trigger root cert refresh
vecs-cli failed. Error 382312694: Access denied, reason = rpc_s_auth_method (0x16c9a0f6).
YYYY-MM-DD HH:MM:SS.SSSZ ERROR Failed to refresh vecs store.
 Error: Error: Failed to trigger root cert refresh
vecs-cli failed. Error 382312694: Access denied, reason = rpc_s_auth_method (0x16c9a0f6).
  • The critical error signature is: 
    YYYY-MM-DD HH:MM:SS.SSSZ ERROR Failed to refresh vecs store.
 Error: Error: Failed to trigger root cert refresh

 

Resolution

The VMware Endpoint Certificate Store (VECS) refresh function is out of sync. A manual force-refresh is required on the vCenter Server.

  1. Take an offline snapshot of all vCenter Server appliances in the Enhanced Linked Mode (ELM) configuration. Reference: VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice.

  2. Connect to the vCenter Server appliance via SSH and log in as root.

  3. Execute the following command to force a VECS refresh: /usr/lib/vmware-vmafd/bin/vecs-cli force-refresh

  4. Re-run the SDDC Manager upgrade pre-check. The error should be cleared.

Additional Information

The following command verifies whether the currently served vCenter Server certificate uses the SHA-1 or SHA-256 algorithm. It can be executed before or after the force-refresh.

Connect to the vCenter Server via SSH and execute:

echo | /usr/bin/openssl s_client -connect localhost:443 2>/dev/null | /usr/bin/openssl x509 -noout -text | grep "Signature Algorithm"

 

Powered by Wolken Software