I am upgrading vCenter 6.5 to 6.7.
Whatever I do, update is failing in the pre-upgrade check:
Error
Resolution
Show the exact error, please. Is this vCSA or Windows?
It's an appliance with embedded PSC.
What is the current cert your appliance is presenting? Can you show details on that?
Which certificate are you referring to?
The HTML5 presents one kind of certs and the Flash other ones.
This is from the HTML5 UI:
And this is from the Flash UI:
They all present the same cert (machine cert). Can you display that certificate's information? Does the name on the certificate correctly match the FQDN of this vCenter?
Can you check the lookupservice certificates using https://<vcenter/psc fqdn>:7444/lookupservice/sdk and check if they are expired by any chance?
If yes, please follow the below KB VMware Knowledge Base after snapshot the vcenter/psc
Thanks,
MS
if you want to check the machine ssl validity, just go to https://<vc fqdn/psc fqdn>:443 and check both certificates?
Thanks,
MS
But I have a valid SSL certificate for the vCenter, I mean for port 443.
The above was replaced...
Then it's expired so you'll need to regenerate those lookup certs. This is separate from the machine SSL cert.
Lookup service is the used for SSO and is expired. You need to replace them using the KB I specificed. Machine ssl is different from lookup service.
Ensure backup of vcenter and also the snapshot is taken prior to updating the certificates for lookupservice
Thanks,
Ms
Followed https://kb.vmware.com/s/article/2118939 but it did not help (it refers to vCenter 5.5 & 6.0. Mine is 6.5)
In the KB there's a reference to /usr/lib/vmware-sso/vmware-sts/conf/ssoserver.p12. There's no such file on my system.
I did find /usr/lib/vmware-psc-client/conf/ssoserver.p12.
Replaced both, restarted the services but still the lookup service has an invalid certificate.
Also ran:
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store TRUSTED_ROOTS --alias 558ff07402a0a534f2ddfa185962e60eeae4426b
to delete the expired certificate, but it persists...
Open a SR with VMware.
Can you get me the output of it... /usr/lib/vmware-vmafd/bin/vecs-cli store list
I think this 6.5 is upgraded from 6.0.. So the steps vary a bit in this. in a fresh 6.5 deployment, lookup service is same as machinessl however for upgraded scenarios it does not as it carries the certificate from 6.0 during upgrade.
Thanks,
MS
MACHINE_SSL_CERT
TRUSTED_ROOTS
TRUSTED_ROOT_CRLS
machine
vpxd
vpxd-extension
vsphere-webclient
SMS
STS_INTERNAL_SSL_CERT
BACKUP_STORE
BACKUP_STORE_H5C
The expired certificate is in TRUSTED_ROOTS.
And yes, it was a 6.0 vCenter upgraded to 6.5.