vCenter pre-update check fails "Unable to upgrade as VECS force refresh has failed"
search cancel

vCenter pre-update check fails "Unable to upgrade as VECS force refresh has failed"

book

Article ID: 415464

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • When attempting to update vCenter, the pre-update check fails, preventing the upgrade/update from proceeding.
  • The following error is observed in the VAMI of the vCenter:
    "Error - Unable to upgrade as VECS force refresh has failed"

  • The following entries are observed in the /var/log/vmware/applmgmt/PatchRunner.log file:
    YYYY-MM-DDTHH:mm:ss:22.98Z vmafd-patch:CollectRequirements ERROR vmafd-patch.utils VECS force refresh failed. Error: Failed to trigger root cert refresh

    vecs-cli failed. Error 11: Possible errors:
    LDAP error: Administrative limit exceeded
    Win Error: Operation failed with error ERROR_BAD_FORMAT (11)

    ...

    YYYY-MM-DDTHH:mm:ss:42.810Z WARNING vmware_b2b.patching.phases.discoverer Invalid patching structure: /storage/seat/software-updatefpbamy7n/stage/scripts/patches/payload/components-script/eam-update-catalog_cata
    log.vmsg
    2025-05-27T15:20:42.819Z INFO vmware_b2b.patching.phases.discoverer Discovery completed. Result: [
        {

        "name": "vmafd-patch",
            "patchScript": "/storage/seat/software-updatefpbamy7n/stage/scripts/patches/payload/components-script/vmafd-patch",
            "requirementsResult": {
                "mismatches": [
                    {
                        "description": {
                            "id": "vmafd.error.description",
                            "localized": "Unable to upgrade as VECS force refresh has failed.",
                            "translatable": "Unable to upgrade as VECS force refresh has failed."
                        },
                        "problemId": null,
                        "relatedUserDataId": null,
                        "resolution": {
                            "id": "vmafd.error.resolution",
                            "localized": "Search for these symptoms in the VMware knowledge base for any known issues and possible workarounds. If none can be found, collect a support bundle and open a support request.",

  • Entries in the /var/log/vmware/vmafdd/vmafdd.log file are observed about failing to write CRLs to disk

Environment

VMware vCenter Server 8.x

Cause

VECs certificate stores are assigned the incorrect permissions and there are many entries in the TRUSTED_ROOT_CRLS store

Resolution

Inspect the certificate store permissions in VECS and clear the entries in the TRUSTED_ROOT_CRLS store in VECS using vCert - see vCert - expired certificate replacement script

Powered by Wolken Software