I am upgrading vCenter 6.5 to 6.7.
Whatever I do, update is failing in the pre-upgrade check:
Lookup service is the used for SSO and is expired. You need to replace them using the KB I specificed. Machine ssl is different from lookup service.
Ensure backup of vcenter and also the snapshot is taken prior to updating the certificates for lookupservice
Followed https://kb.vmware.com/s/article/2118939 but it did not help (it refers to vCenter 5.5 & 6.0. Mine is 6.5)
In the KB there's a reference to /usr/lib/vmware-sso/vmware-sts/conf/ssoserver.p12. There's no such file on my system.
I did find /usr/lib/vmware-psc-client/conf/ssoserver.p12.
Replaced both, restarted the services but still the lookup service has an invalid certificate.
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store TRUSTED_ROOTS --alias 558ff07402a0a534f2ddfa185962e60eeae4426b
to delete the expired certificate, but it persists...
Can you get me the output of it... /usr/lib/vmware-vmafd/bin/vecs-cli store list
I think this 6.5 is upgraded from 6.0.. So the steps vary a bit in this. in a fresh 6.5 deployment, lookup service is same as machinessl however for upgraded scenarios it does not as it carries the certificate from 6.0 during upgrade.
The expired certificate is in TRUSTED_ROOTS.
And yes, it was a 6.0 vCenter upgraded to 6.5.