vCenter Upgrade Precheck Failure from SDDC Manager: "Connection Issues to Key Management Servers"
search cancel

vCenter Upgrade Precheck Failure from SDDC Manager: "Connection Issues to Key Management Servers"

book

Article ID: 407430

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

Prechecks in SDDC Manager for the vCenter upgrade fails with the Error: "There are vCenter or Hosts with Connection Issues to Key Management Servers."

KMS server details in vCenter are displaying a certificate warning:

Environment

VMware Cloud Foundation 5.x

Cause

The KMS certificate chain required to establish trust between vCenter and the Key Management Server (KMS) is missing. This lack of trust is preventing proper communication between vCenter and the KMS.

A missing or outdated KMS certificate chain in vCenter’s trust store can block secure communication, which may result in upgrade precheck failures.

Resolution

Note: It is mandatory to take a snapshot of both the SDDC Manager VM and vCenter before performing the following steps.

Delete the old certificate from the KMS store

Ensure that the entire KMS certificate chain is not added in vCenter under a single alias. If it is, follow the steps below to delete it:

  1. List certificates in the KMS cluster in vCenter ssh

    /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store KMS_ENCRYPTION

    Identify the alias of the added KMS certificate chain.

  2. Delete the added certificate chain

    /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store KMS_ENCRYPTION --alias <alias_of_the_added_KMS_certificate_chain>

  1. Publish the new KMS certificate chain in the store by following the procedure outlined in Adding KMS Certificate Chain for KMS Server.

  2. Restart vCenter services:

    service-control --stop --all && service-control --start --all

  3.  Retry Prechecks from SDDC Manager
Powered by Wolken Software