vcenter upgrade fails due to: patch_errors.UserError: Failed to apply patch roles_groups

Products

VMware vCenter Server

Issue/Introduction

The vCenter upgrade fails at 80% in the UI.

The following can bee seen in /var/log/vmware/applmgmt/patchRunner.log

[YYYY-MM-DDTHH:MM:SS] wcp:Patch INFO root Removing certificate for user "wcp" from the filesystem
[YYYY-MM-DDTHH:MM:SS] wcp:Patch ERROR wcp Failed to apply patch %s! Error: %s.
[YYYY-MM-DDTHH:MM:SS] wcp:Patch ERROR wcp Not all patches were applied. Latest applied patch is 1
[YYYY-MM-DDTHH:MM:SS] wcp:Patch ERROR vmware_b2b.patching.executor.hook_executor Patch hook 'wcp:Patch' failed.
Traceback (most recent call last):
File "/storage/seat/software-updatepwoebzhn/stage/scripts/patches/py/vmware_b2b/patching/executor/hook_executor.py", line 74, in executeHook
executionResult = systemExtension(args)
File "/storage/seat/software-updatepwoebzhn/stage/scripts/patches/libs/sdk/extensions.py", line 106, in __call__
result = self.extension(*args)
File "/storage/seat/software-updatepwoebzhn/stage/scripts/patches/libs/sdk/extensions.py", line 123, in _func
return func(*args)
File "/storage/seat/software-updatepwoebzhn/stage/scripts/patches/payload/components-script/wcp/__init__.py", line 225, in doPatching
doIncrementalPatching(current_version)
File "/storage/seat/software-updatepwoebzhn/stage/scripts/patches/payload/components-script/wcp/__init__.py", line 343, in doIncrementalPatching
raise user_error
patch_errors.UserError: Failed to apply patch roles_groups_users! Error: {
"detail": [
{
"id": "install.ciscommon.command.errinvoke",
"translatable": "An error occurred while invoking external command : '%(0)s'",
"args": [
"Command: ['/usr/lib/vmware-vmca/bin/certool', '--server=VCENTER_FQDN', '--genCIScert', '--dataencipherment', '--privkey=/tmp/wcp_00000000.priv', '--cert=/tmp/wcp_000000.crt', '--Name=wcp']\nStderr: "
],
"localized": "An error occurred while invoking external command : 'Command: ['/usr/lib/vmware-vmca/bin/certool', '--server=VCENTER_FQDN', '--genCIScert', '--dataencipherment', '--privkey=/tmp/wcp_0000000.priv', '--cert=/tmp/wcp_0000000.crt', '--Name=wcp']\nStderr: '"
}
],
"componentKey": null,
"problemId": null,
"resolution": null
}.
[YYYY-MM-DDTHH:MM:SS] ERROR vmware_b2b.patching.phases.patcher Patch hook Patch got ComponentWrapperError.
Traceback (most recent call last):
File "/storage/seat/software-updatepwoebzhn/stage/scripts/patches/py/vmware_b2b/patching/phases/patcher.py", line 208, in patch
_patchComponents(ctx, userData, statusAggregator.reportingQueue)
File "/storage/seat/software-updatepwoebzhn/stage/scripts/patches/py/vmware_b2b/patching/phases/patcher.py", line 90, in _patchComponents
executeComponentHook(Hook.Patch, ctx, c, userData, reportingQueue)
File "/storage/seat/software-updatepwoebzhn/stage/scripts/patches/py/vmware_b2b/patching/executor/execution_facade.py", line 97, in executeComponentHook
result = executeHook(c.patchScript, hook, args,
File "/storage/seat/software-updatepwoebzhn/stage/scripts/patches/py/vmware_b2b/patching/executor/execution_facade.py", line 53, in executeHook
result = executor.executeHook(scriptFile, hook, args, reportQueue, reportIdentifier)
File "/storage/seat/software-updatepwoebzhn/stage/scripts/patches/py/vmware_b2b/patching/executor/hook_executor_process.py", line 119, in executeHook
raise ex
patch_errors.ComponentError
[YYYY-MM-DDTHH:MM:SS] WARNING root stopping status aggregation...
[YYYY-MM-DDTHH:MM:SS] ERROR __main__ Patch vCSA failed

Cause

Account is not added to the DCAdmins built-in group, it is then failing to get a signed certificate.

Resolution

Add the computer account to the DCAdmins group:

SSH to the vCenter server as root:
run the following command:
- /opt/likewise/bin/ldapmodify -x -D cn=Administrator,cn=Users,dc=vsphere,dc=local -W <<EOF
  dn: CN=DCAdmins,cn=Builtin,dc=vsphere,dc=local
  changetype: modify
  add: member
  member: cn=VCENTER_FQDN,ou=Domain Controllers,dc=vsphere,dc=local
  EOF
Retry the vCenter upgrade.