VMware Cloud Community
ophirs
Contributor
Contributor

Error on Pre-upgrade check result - Regenerate certificates for sso and try again

I am upgrading vCenter 6.5 to 6.7.

Whatever I do, update is failing in the pre-upgrade check:

Error

Certificate validation failed during pre-upgrade check.

Resolution

Regenerate certificates for sso and try again

Any ideas?
14 Replies
daphnissov
Immortal
Immortal

Show the exact error, please. Is this vCSA or Windows?

Reply
0 Kudos
ophirs
Contributor
Contributor

67.JPG

It's an appliance with embedded PSC.

Reply
0 Kudos
daphnissov
Immortal
Immortal

What is the current cert your appliance is presenting? Can you show details on that?

Reply
0 Kudos
ophirs
Contributor
Contributor

Which certificate are you referring to?

The HTML5 presents one kind of certs and the Flash other ones.

This is from the HTML5 UI:

certs_html5.JPG

And this is from the Flash UI:

certs_flash.JPG

Reply
0 Kudos
daphnissov
Immortal
Immortal

They all present the same cert (machine cert). Can you display that certificate's information? Does the name on the certificate correctly match the FQDN of this vCenter?

Reply
0 Kudos
msripada
Virtuoso
Virtuoso

Can you check the lookupservice certificates using https://<vcenter/psc fqdn>:7444/lookupservice/sdk and check if they are expired by any chance?

If yes, please follow the below KB VMware Knowledge Base  after snapshot the vcenter/psc

Thanks,

MS

msripada
Virtuoso
Virtuoso

if you want to check the machine ssl validity, just go to https://<vc fqdn/psc fqdn>:443 and check both certificates?

Thanks,

MS

Reply
0 Kudos
ophirs
Contributor
Contributor

7444.JPG

But I have a valid SSL certificate for the vCenter, I mean for port 443.

The above was replaced...

Reply
0 Kudos
daphnissov
Immortal
Immortal

Then it's expired so you'll need to regenerate those lookup certs. This is separate from the machine SSL cert.

Reply
0 Kudos
msripada
Virtuoso
Virtuoso

Lookup service is the used for SSO and is expired. You need to replace them using the KB I specificed. Machine ssl is different from lookup service.

Ensure backup of vcenter and also the snapshot is taken prior to updating the certificates for lookupservice

Thanks,

Ms

Reply
0 Kudos
ophirs
Contributor
Contributor

Followed https://kb.vmware.com/s/article/2118939 but it did not help (it refers to vCenter 5.5 & 6.0. Mine is 6.5)

In the KB there's a reference to /usr/lib/vmware-sso/vmware-sts/conf/ssoserver.p12. There's no such file on my system.

I did find /usr/lib/vmware-psc-client/conf/ssoserver.p12.

Replaced both, restarted the services but still the lookup service has an invalid certificate.

Also ran:

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store TRUSTED_ROOTS --alias 558ff07402a0a534f2ddfa185962e60eeae4426b

to delete the expired certificate, but it persists...

Reply
0 Kudos
daphnissov
Immortal
Immortal

Open a SR with VMware.

Reply
0 Kudos
msripada
Virtuoso
Virtuoso

Can you get me the output of it... /usr/lib/vmware-vmafd/bin/vecs-cli store list

I think this 6.5 is upgraded from 6.0.. So the steps vary a bit in this. in a fresh 6.5 deployment, lookup service is same as machinessl however for upgraded scenarios it does not  as it carries the certificate from 6.0 during upgrade.

Thanks,

MS

Reply
0 Kudos
ophirs
Contributor
Contributor

MACHINE_SSL_CERT

TRUSTED_ROOTS

TRUSTED_ROOT_CRLS

machine

vpxd

vpxd-extension

vsphere-webclient

SMS

STS_INTERNAL_SSL_CERT

BACKUP_STORE

BACKUP_STORE_H5C

The expired certificate is in TRUSTED_ROOTS.

And yes, it was a 6.0 vCenter upgraded to 6.5.

Reply
0 Kudos