vCenter Server upgrade from 7.x to 8.x fails due to SHA1 signature algorithm in ESXi certificate chain when ESXi using custom CA certs
search cancel

vCenter Server upgrade from 7.x to 8.x fails due to SHA1 signature algorithm in ESXi certificate chain when ESXi using custom CA certs

book

Article ID: 399843

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • Upgrading vCenter Server or ESXi to 8.0 fails during precheck due to a weak certificate signature algorithm
  • Execution of vsphere8_upgrade_certificate_checks.py python script in the vCenter Server to perform ESXi upgrade precheck fails with the error:

####-##-## ERROR Support for certificates with weak signature algorithms has been removed in vSphere 8.0. Weak signature algorithm certificates must be replaced before upgrade. Refer to the vSphere release notes and VMware KB 89424 for more details. Correct the following 3 issues before proceeding with upgrade.
####-##-## ERROR
####-##-##ERROR 1. Host has a configured certificate authority (CA) with subject name '/O=VMware/CN=' that has weak signature algorithm shalwithRSAEncryption. The certificate thumbprint is ##########. Cleanup vCenter Server TRUSTED ROOTS before explicitly removing certificates from the host.
####-##-## ERROR
####-##-## ERROR 2. Host has a configured certificate authority (CA) with subject name '/O=VMware/CN=' that has weak signature algorithm shalWithRSAEncryption. The certificate thumbprint is ##########. Cleanup vCenter Server TRUSTED ROOTS before explicitly removing certificates from the host.
####-##-## ERROR
####-##-## ERROR 3. Host has a configured certificate authority (CA) with subject name '/O=VMware/CN=' that has weak signature algorithm shalwithRSAEncryption. The certificate thumbprint is ##########. Cleanup vCenter Server TRUSTED ROOTS before explicitly removing certificates from the host.

 

NOTE:

  • When using default "vmca" certificate mode, vCenter Server pushes its own Trusted Root certificates ("TRUSTED_ROOTS") to the ESXi Certificate Store. However, each ESXi host may have additional certificates added manually as well.
  • If the ESXi Certificate Store contains a certificate with a weak digital signature (SHA1), then the certificate needs to be removed.

Environment

VMware vSphere ESXi 7.0

VMware vCenter Server 7.0

 

Cause

vSphere 8.x does not support SHA1 certificate algorithm. Any certificate on the VCSA or ESXi using SHA1 certificate needs to be removed before upgrade.

Resolution

  • The currently configured certificates can be listed with the following command from SSH of the ESXi:
    • esxcli system security certificatestore list
  • Copy the certificate with SHA 1 in  a tmp location on the ESXI with .cert or .cer (ca.cer / ca.cert)
  • Certificates can be removed with the following command with the file name of the certificate .
    • esxcli system security certificatestore remove --filename=<local_file>

Note: If the above steps doesn't work, consider following the below steps.

  • Edit the castore.pem file in /etc/vmware/ssl directory
  • Remove the SHA1 certificate directly and save the file
  • Re-run the vsphere8_upgrade_certificate_checks.py and validate whether the SHA1 certificate is removed
  • esxcli commands can also be accessed using PowerCLI.

Additional Information

Powered by Wolken Software