• During the ESXi 8.0 patching process, the pre-check fails and displays the following error string:
  

  SHA-1 signature found in host certificate False. Support for certificates with weak signature algorithm SHA-1 has been removed in ESXi 8.0. To proceed with upgrade, replace it with a SHA-2 signature based certificate. Refer to release notes and KB 89424 for more details.

• vCenter Server and the connected ESXi hosts are not using certificates with a weak digital signature algorithm. Running the vsphere8_upgrade_certificate_checks.py script (from KB 313460) verifies this configuration and detects no certificates with a SHA-1 signature. Additionally, renewing and refreshing the ESXi certificates do not resolve the error.

• The following entries are recorded in the vCenter Server /var/log/vmware/vmware-updatemgr/vum-server/vmware-vum-server.log file:

  -->        "STRUCTURE": {
-->            "com.vmware.esx.settings.notification": {
-->                "id": "com.vmware.vcIntegrity.lifecycle.HostScan.UnsupportedSHA1Cert",
-->                "message": {
-->                    "STRUCTURE": {
-->                        "com.vmware.vapi.std.localizable_message": {
-->                            "args": [
-->                                "False"
-->                            ],
-->                            "default_message": "SHA-1 signature found in host certificate False. Support for certificates with weak signature algorithm SHA-1 has been removed in ESXi 8.0. To proceed with upgrade, replace it with a SHA-2 signature based certificate. Refer to the release notes and KB 89424 for more details.",
-->                            "id": "com.vmware.vcIntegrity.lifecycle.HostScan.UnsupportedSHA1Cert",
-->                            "localized": {
-->                                "OPTIONAL": null


• The following log excerpts appear in the ESXi host logs:
  
  

  • /var/run/log/lifecycle.log:

YYYY-MM-DDTHH:MM:SSZ Er(11) lifecycle[6493677]: upgrade_precheck:2924 Failed to parse certificate /etc/vmware/ssl/castore.pem: Command openssl x509 -in /tmp/tmp9c11f5v4 -noout -text | grep 'Signature Algorithm' exited with code 2

  • /var/run/log/vmkernel.log:

YYYY-MM-DDTHH:MM:SSZ In(182) vmkernel: cpu54:6494029)uw.6494030 (33970206) requires 16 KB, asked 16 KB from python.6493677 (33967604) which has 322560 KB occupied and 0 KB available.
YYYY-MM-DDTHH:MM:SSZ In(182) vmkernel: cpu54:6494029)Admission failure in path: host/vim/vmvisor/settingsd-task-forks/python.6493677:sh.6494030:uw.6494030

     

vCenter Server Appliance 8.x
vSphere ESXi 8.x

The task fails due to memory exhaustion within the settingsd-task-forks resource pool on the ESXi host.
This exhaustion prevents the host from executing the OpenSSL certificate validation command during the pre-check, resulting in a false positive SHA-1 certificate error.

1. Log in to the affected ESXi host as root via SSH or the ESXi Shell.
   
   

2. Check the current memory configuration for the settingsd-task-forks group on the affected ESXi host by executing the following command:

   localcli --plugin-dir=/usr/lib/vmware/esxcli/int sched group getmemconfig -g host/vim/vmvisor/settingsd-task-forks

    

3. Increase the memory limit to 400 MB by  executing the following command:

   localcli --plugin-dir=/usr/lib/vmware/esxcli/int sched group setmemconfig -g host/vim/vmvisor/settingsd-task-forks -m 400 -i 0 -l -1 -u mb

    

4. Confirm the updated memory configuration by re-executing the validation command:

   localcli --plugin-dir=/usr/lib/vmware/esxcli/int sched group getmemconfig -g host/vim/vmvisor/settingsd-task-forks

    

5. Re-initiate the patching operation.

Upgrading vCenter Server or ESXi 8.0 fails with "SHA-1 signature found in host certificate