Error: "CLUSTER_IMAGE_COMPLIANCE_INCOMPATIBLE" during Baseline to Image conversion in SDDC Manager
search cancel

Error: "CLUSTER_IMAGE_COMPLIANCE_INCOMPATIBLE" during Baseline to Image conversion in SDDC Manager

book

Article ID: 432026

calendar_today

Updated On:

Products

VMware SDDC Manager / VCF Installer VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

  • Attempting to transition vLCM baseline cluster to vLCM image managed cluster using a PowerCLI script  fails with the following error:
    • Invoke-VcfUpdateCluster:500: Internal server error calling UpdateCluster: {"errorCode":"CLUSTER_IMAGE_COMPLIANCE_INCOMPATIBLE","arguments":["<argument>"],"message":"Image compliance result for cluster with ID: <cluster_id> is in INCOMPATIBLE state","referenceToken":"<Reference_Token>"}

  • Running the PowerCLI script to check existing clusters vLCM image compliance , the compliance fails with the below error : 
    • "Message": "SHA-1 signature found in host certificate False. Support for certificates with weak signature algorithm SHA-1 has been removed in ESXi 8.0. To proceed with upgrade, replace it with a SHA-2 signature based certificate. Refer to release notes and KB 89424 for more details

  • Running the below command on ESXi host, verifies that the host certificate does not use SHA-1 signature algorithm:  
    • awk '
/-----BEGIN CERTIFICATE-----/ {
    in_cert = 1;
    cert = $0;
    next;
}

/-----END CERTIFICATE-----/ {
    if (in_cert) {
        cert = cert "\n" $0;
        echo_cmd = "echo \"" cert "\" | openssl x509 -noout -text | grep -m1 \"Signature Algorithm\"";
        system(echo_cmd);
        in_cert = 0;
        cert = "";
    }
    next;
}

{
    if (in_cert) {
        cert = cert "\n" $0;
    }
}
' /etc/vmware/ssl/castore.pem

Environment

  • VMware SDDC Manager 5.x 
  • VMware ESXi 8.x

Cause

The issue is caused by stale compliance data or a cached state within the VMware vSphere Update Manager (VUM) / Lifecycle Manager service. Even after certificates are upgraded to SHA-2/SHA-256 signature algorithm, the service may continue to report the legacy SHA-1 warning during the transition to an image-based lifecycle.

Resolution

To resolve the stale compliance state, restart the VMware Update Manager service on the vCenter:

  • Log in to the vCenter via SSH as root.
  • Execute the following command to restart the service: 
    • service-control --stop vmware-updatemgr && service-control --start vmware-updatemgr
  • Re-run the PowerCLI script to check the clusters vLCM image compliance. 
  • If the compliance passes, use the script to transition the cluster to vLCM image managed.
Powered by Wolken Software