vCenter Server upgrade Stage2 failed with "The source host thumbprint is different than the provided one"
search cancel

vCenter Server upgrade Stage2 failed with "The source host thumbprint is different than the provided one"

book

Article ID: 422857

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Receiving this Error while upgrading: 
Error: The source host thumbprint is different than the provided one. 
Resolution: Verify the source host SSL certificates are correct

You may see error like this from destination vCenter Server.

YYYY-MM-DDThh:mm:ss.###Z INFO upgrade_commands Creating OpsManager (Ssh based).
YYYY-MM-DDThh:mm:ss.###Z INFO networking_utils isHostReachable(): try getaddrinfo('#####', '443', 0, SocketKind.SOCK_STREAM, 6)...
YYYY-MM-DDThh:mm:ss.###Z INFO networking_utils isHostReachable(): getaddrinfo() found 1 entries (first is used):
        FAMILY: AddressFamily.AF_INET, TYPE=SocketKind.SOCK_STREAM, PROTO=6, CANONNAME=, ADDR=('###.###.###.###', 443)
YYYY-MM-DDThh:mm:ss.###Z INFO networking_utils isHostReachable() succeeded: address //#####:443 is reachable
YYYY-MM-DDThh:mm:ss.###Z ERROR transport.guestops Different thumbprint from host //#####:443: SHA thumbprint mismatch. Expected: `#####################A`, actual: `#####################B`
Traceback (most recent call last):
  File "/usr/lib/vmware/cis_upgrade_runner/libs/sdk/transport/guestops.py", line 124, in _createServiceInstance
    self.serviceInstance.RetrieveContent()
  File "/usr/lib/vmware/cis_upgrade_runner/libs/pyVmomi.zip/pyVmomi/VmomiSupport.py", line 618, in <lambda>
    self.f(*(self.args + (obj,) + args), **kwargs)
  File "/usr/lib/vmware/cis_upgrade_runner/libs/pyVmomi.zip/pyVmomi/VmomiSupport.py", line 391, in _InvokeMethod
    return self._stub.InvokeMethod(self, info, args)
  File "/usr/lib/vmware/cis_upgrade_runner/libs/pyVmomi.zip/pyVmomi/SoapAdapter.py", line 1555, in InvokeMethod
    conn = self.GetConnection()
  File "/usr/lib/vmware/cis_upgrade_runner/libs/pyVmomi.zip/pyVmomi/SoapAdapter.py", line 1643, in GetConnection
    _VerifyThumbprint(self.thumbprint, result)
  File "/usr/lib/vmware/cis_upgrade_runner/libs/pyVmomi.zip/pyVmomi/SoapAdapter.py", line 1122, in _VerifyThumbprint
    VerifyCertThumbprint(derCert, thumbprint)
  File "/usr/lib/vmware/cis_upgrade_runner/libs/pyVmomi.zip/pyVmomi/Security.py", line 45, in VerifyCertThumbprint
    raise ThumbprintMismatchException(thumbprint, shaDigest)
pyVmomi.Security.ThumbprintMismatchException: SHA thumbprint mismatch. Expected: `#######################################A`, actual: `#######################################B`

Environment

VMware vCenter Server

Cause

While deploying vCenter Server, vcsa installer put SSL certificate hash of ESXi where source vCenter Server resides as upgrade.source.ssl.thumbprint parameter.

In some environment, proxy ssl might be configured and SSL certificate of ESXi that vcsa installer saw during Stage 1 could be different from the one that destination vCenter Server saw during Stage 2. As a result, this mismatch could happen during Stage2, which blocks upgrade process.

Resolution

Execute this command in both source and destination vCenter Server's bash shell.

install-parameter upgrade.source.ssl.thumbprint -s "##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:BB"

You need to specify the thumbprint of ESXi SSL certificate that destination vCenter Server is currently seeing.

If you see error log on the destination vCenter Server like this

pyVmomi.Security.ThumbprintMismatchException: SHA thumbprint mismatch. Expected: `####################`, actual: `00112233445566778899aabbccddeeffgghhiijj`

you need to specify like this.

install-parameter upgrade.source.ssl.thumbprint -s "00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:GG:HH:II:JJ"
Powered by Wolken Software