VMware Cloud Community
spoovy
Enthusiast
Enthusiast

P2V / Upgrade fail -- "Unable to enumerate and validate the root certificates from the TRUSTED_ROOTS VECS store."

I'm trying to upgrade from a Windows VCS (6.5) to VCSA (6.7).   Falling at the first hurdle though -- the migration assistant, run on the Windows VCS fails with:

Error: Unable to enumerate and validate the root certificates from the TRUSTED_ROOTS VECS store.

Resolution: Make sure that the vmafd service is reachable and started before continuing.

The VMware afd service is running though (it runs as a Windows service, "Local System" user).  I have tried the usual, restarting service to no avail.  The service does have "Allow service to interact with desktop" selected. Under the vSphere Web Client / Root Certificates I can see the normal CA cert (VMware Engineering) which is not expired and looks fine.

No idea why this isn't working (I'm not really a Windows guy), so any pointers appreciated.

Tags (2)
Reply
0 Kudos
29 Replies
msripada
Virtuoso
Virtuoso

Can you check if you are getting output for the below commands without error on the source vcenter server

"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry list --store TRUSTED_ROOTS --text | more

"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry list --store TRUSTED_ROOT_CRLS --text | more

Reply
0 Kudos
spoovy
Enthusiast
Enthusiast

Thanks, I do get results yes.   Strange as it seem like the service is working, but the migration assistant can't connect to it.  That's why I'm thinking it might be a Windows/permissions issue.

Reply
0 Kudos
msripada
Virtuoso
Virtuoso

I believe it might due to one of certificates in the trusted_roots store is invalid certificate.

I will PM you with few commands, can you share me the output

Thanks,

MS

Reply
0 Kudos
spoovy
Enthusiast
Enthusiast

OK great thanks!

Reply
0 Kudos
jhumphrey6487
Contributor
Contributor

Running into the same error trying to update from VCSA 6.5 to 6.7. Were you able to find anything out on your error or how to resolve it?

Reply
0 Kudos
msripada
Virtuoso
Virtuoso

PM you with commands.. pleas respond to that

Reply
0 Kudos
scarnes1983
Contributor
Contributor

Running into the same issue.  Could I get those commands as well?

Reply
0 Kudos
msripada
Virtuoso
Virtuoso

I sent a private message. Please check your inbox

Reply
0 Kudos
scarnes1983
Contributor
Contributor

okay this is a stupid question .. but I just signed up for this forum and I dont the area for PM's

Reply
0 Kudos
a_sand
Contributor
Contributor

Hi guys,

can you share the "secret commands" from private messages? I have exactly the same problem

Reply
0 Kudos
msripada
Virtuoso
Virtuoso

These are not secret commands btw.. if someone dont know what they are doing, it may lead to vcenter/psc crash or unusable. I am just cautious

Reply
0 Kudos
djones82
Contributor
Contributor

I'm have the same issue.  Could you please send me the commands?

Reply
0 Kudos
spoovy
Enthusiast
Enthusiast

I couldn't resolve this so had to build a new vcenter and I'm migrating everything across now.  The issue may have been a 3rd party cert in the wrong place as suspected by msripada, but I couldn't get the vmware utilities to remove it anyway so we'll never know.

Reply
0 Kudos
djones82
Contributor
Contributor

New deployment is very last resort for me.  Too many dependencies to deal with.  I've opened a support case.

Reply
0 Kudos
msripada
Virtuoso
Virtuoso

Okay. I have sent a PM to you

Reply
0 Kudos
fschagas
Contributor
Contributor

Hi spoovy,

I was with the same problem, same error, I tried to upgrade from version 6.5u2 to 6.7u2 and the error is exactly the same, I do not know anyone who has succeeded, so I decided to upgrade to version 6.7 update 1, I had no problems, a installation occurred with no problem, then only upgraded to update 2 by VAMI, as you did not inform which update you are upgrading, if it is version 1 or 2 of version 6.7, then hope it helps.

Reply
0 Kudos
jithn
Contributor
Contributor

this issue got resolved ? I am facing the same problem Smiley Sad

Reply
0 Kudos
jithn
Contributor
Contributor

msripada​ hello ? I ma having the same issue, while upgrading to 6.7 . Can you help me on this ?

Reply
0 Kudos
UglyBagofWater
Contributor
Contributor

Same issue here.

Upgrade pre-check fails with this same error, going from VCSA 6.5 U2 to 6.7 U2.

Two months ago, we did replace the self-signed certs on the VSphere Center Server with a cert from our in-house CA.  Would this be the cause?

Reply
0 Kudos