• An attempt to update vCenter Server 8.0 fails during the post-installation phase with the error, "Exception occurred in postInstallHook for B2B-patching"


• The update process rolls back, and the logs indicate the vpxd Service fails to start because it cannot generate a new data-encipherment certificate.
  
  
• Logs:
  • /var/log/vmware/applmgmt/PatchRunner.log

[YYYY-MM-DDTHH:MM:SS] INFO service_manager Command '[['/bin/service-control', '--start', 'vmware-vpxd']]' has exit-code='1' and stdout: Operation not cancellable. Please wait for it to finish...

Performing start operation on service vpxd...

stderr: Error executing start on service vpxd. Details {

    "detail": [

        {

            "id": "install.ciscommon.service.failstart",

            "translatable": "An error occurred while starting service '%(0)s'",

            "args": [

                "vpxd"

            ],

            "localized": "An error occurred while starting service 'vpxd'"

        }

• • /var/log/vmware/vmon/vmon.log

[YYYY-MM-DDTHH:MM:SS] Wa(03)+ host-######             "localized": "An error occurred while invoking external command : 'Command: ['/usr/lib/vmware-vmca/bin/certool', '--server=vcserver.nvb.circ9.dcn', '--genCIScert', '--dataencipherment', '--privkey=/etc/vmware-vpx/ssl/tmp-data-encipherment.key', '--cert=/etc/vmware-vpx/ssl/tmp-data-encipherment.crt', '--Name=data-encipherment', '--FQDN=NVB-vcserver.adu.dcn']\nStderr: '"

[YYYY-MM-DDTHH:MM:SS] Wa(03)+ host-######         },

[YYYY-MM-DDTHH:MM:SS] Wa(03)+ host-######         {

[YYYY-MM-DDTHH:MM:SS] Wa(03)+ host-######             "id": "upgrade.vpxd.cert.create.failed",

[YYYY-MM-DDTHH:MM:SS] Wa(03)+ host-######             "translatable": "Failed to create data encipherment cert with hostname/ip %(0)s.",

[YYYY-MM-DDTHH:MM:SS] Wa(03)+ host-######             "args": [

[YYYY-MM-DDTHH:MM:SS] Wa(03)+ host-######                 "NEW_FQDN"

[YYYY-MM-DDTHH:MM:SS] Wa(03)+ host-######             ],

[YYYY-MM-DDTHH:MM:SS] Wa(03)+ host-######             "localized": "Failed to create data encipherment cert with hostname/ip NEW_FQDN."

• VMware vCenter Server 8.x

• This issue occurs because the vCenter's FQDN was previously changed, but the data encipherment certificate was never properly updated to reflect the new FQDN. The post-installation hook for the patch attempts to create or renew this certificate using the old, incorrect FQDN.

• Renew Data Encipherment Certificate and Retry Update.

Procedure:

• 1. Rollback the Failed Update: Before attempting the manual certificate renewal, revert the vCenter Server to the state prior to the failed update. Use the rollback feature of the update tool, or revert the VM snapshot if taken before the process began.
  2. Take a new snapshot of the virtual machine VM. Follow Snapshot Best practices for vCenter Server Virtual Machines
  3. Regenerate data-encipherment certificate, referring to Replacing an expired data-encipherment certificate on vCenter Server
  4. Retry the Update: With the data-encipherment certificate correctly renewed, attempt the vCenter update again. The update process should now complete successfully.

The Data Encipherment certificate can also be replaced using the vCert Utility.

vCert - Scripted vCenter Expired Certificate Replacement