Upgrading vCenter Server 7.0 to 8.0 fails at the stage2 pre-check after updating the root certificate signature algorithm from SHA1 to SHA2
search cancel

Upgrading vCenter Server 7.0 to 8.0 fails at the stage2 pre-check after updating the root certificate signature algorithm from SHA1 to SHA2

book

Article ID: 416244

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

After updating the root certificate signature algorithm from SHA1 to SHA2, the following error occurs during the stage2 pre-check of the upgrade vCenter Server from 7.0 to 8.0.

Error Support for certificates with weak signature algorithms has been removed in vCenter Server 8.0. The certificate with subject '/DC=###/CN=###/...' in VECS store TRUSTED_ROOTS has weak signature algorithm sha1WithRSAEncryption.

Resolution Replace the certificate with subject '/DC=###/CN=###/...' in VECS store TRUSTED_ROOTS with a certificate that uses the SHA-2 signature algorithm. Caution: Verify that any certificates signed by the problematic certificate are not in use by vCenter Server. Refer to the vCenter Server release notes and VMware KB 89424 for more details.

 

You can see similar to the following result by running vsphere8_upgrade_certificate_checks.py of KB 313460.

YYYY-MM-DD hh:mm:ss.fffZ ERROR #################### Errors Found ####################
YYYY-MM-DD hh:mm:ss.fffZ ERROR
YYYY-MM-DD hh:mm:ss.fffZ ERROR Support for certificates with weak signature algorithms has been removed in vSphere 8.0. Weak signature algorithm certificates must be replaced before upgrade. Refer to the vSphere release notes and VMware KB 89424 for more details. Correct the following 1 issues before proceeding with upgrade.
YYYY-MM-DD hh:mm:ss.fffZ ERROR
YYYY-MM-DD hh:mm:ss.fffZ ERROR 1. The certificate with subject '/DC=###/CN=###/...' in VECS store TRUSTED_ROOTS has weak signature algorithm sha1WithRSAEncryption. The certificate thumbprint is ##:##:...##:##. The certificate Subject Key Identifier is ##:##:...##:##. Caution: Verify that any certificates signed by the problematic certificate are not in use by vCenter Server.
YYYY-MM-DD hh:mm:ss.fffZ ERROR
YYYY-MM-DD hh:mm:ss.fffZ ERROR ######################################################

 

Environment

vCenter Server 8.0.x

Cause

Even after updating the signature algorithm to SHA2, the root certificate for the SHA1 signature algorithm remained.

vCenter Server 8.0.x does not support the SHA1 signature algorithm.

Resolution

Remove root certificates of SHA1 signature algorithm using vCert.py.

To remove root certificates of SHA1 signature algorithm, please see the steps below. 

  1. Take an offline snapshot or backup of vCenter Server.

    * If using ELM, you take offline snapshots of all nodes of ELM.

  2. Download vCert-###.zip file from the attachments section of KB 385107.

  3. Make vCert.py implementable according to KB 385107.

  4. Run vCert.py using the following command:
     
    ./vCert.py

  5. Enter y at the prompt below.

    Do you acknowledge the risks and wish to continue? [y/n]:

  6. Select "3. Manage certificates".
    At the prompt below, type 3 and press Enter.

    Select an option [1]:

  7. Select "3. CA certificates in VMware Directory".
    At the prompt below, type 3 and press Enter.

    Select an option [Return to main menu]:

  8. Press Enter by default at the prompt below.

    Please enter a Single Sign-On administrator account [[email protected]]:

  9. Enter password of [email protected] at the prompt below and press Enter.

    Please provide the password for [email protected]:

  10. Verify the output of the certificate information as shown below.
         
         -----
         CA Certificates in VMware Directory
         -----------------------------------------------------------------
         1. Alias: #######################################
            Subject: 
            Issuer: 
            End Date: MMM DD hh:mm:ss YYYY GMT
            Subject Key ID: 
            Is CA Cert: Yes

         2. Alias: #######################################
            Subject: 
            Issuer: 
            End Date: MMM DD hh:mm:ss YYYY GMT
            Subject Key ID: 
            Is CA Cert: Yes
         .
         .
         .   
         -----

  11. Select "2. Remove CA certificate(s) from VMware Directory".
    At the prompt below, type 2 and press Enter.

    Select an option [Return to the previous menu]:

  12. Enter the certificate number to be deleted at the prompt below.
    * If the certificate number for the Subject Key ID to be deleted is 1, enter 1.

    Enter the number(s) of the certificate(s) to delete (multiple entries separated by a comma):

  13. Confirm that the certificate deletion information has been reflected in the VECS store as shown below.
         
         -----
         Remove Certificate(s) from VMware Directory
         -----------------------------------------------------------------
         .
         .
         Refreshing CA certificates to VECS                             OK
         -----

  14. Press ctrl + c to exit vCert.py.

  15. Restart the vCenter Server services using the following command:

    service-control --stop --all && service-control --start --all

Additional Information

Japanese Version:
ルート証明書の署名アルゴリズムを SHA1 から SHA2 へ更新後に vCenter Server 7.0 から 8.0 へのアップグレードが Stage2 の pre-check で失敗する

Upgrading vCenter Server or ESXi 8.0 fails during precheck due to a weak certificate signature algorithm

vCert - Scripted vCenter expired certificate replacement

Powered by Wolken Software