aj800
Enthusiast
Enthusiast

Upgrade to 6.7 pre-upgrade checks fail due to unsupported Host Profile and cert validation

Jump to solution

I'm trying to upgrade the VCSA 6.5U3 to 6.7U3 and it failed for two reasons:

1. Certificate validation failed.  We're using a enterprise CA issued signed cert and the lock icon in Firefox has been green for some time.  We had issues with VUM after applying the certs and the support tech ran a python script to fix the SSL thumbprint mismatches, and since then, it's been fine and the VCSA shows the green lock icon when we access it in a browser.

2. Source vCenter Server has unsupported version of host profiles.  In the existing web client (6.5), if I go to VCSA -> Host -> Configure -> System -> Host Profile, it shows 'None' for each host.  We have 5 hosts and each are running at version 6.5 EP14.  How do I view the version of host profiles it's using?

How do I resolve these issues?

0 Kudos
1 Solution

Accepted Solutions
aj800
Enthusiast
Enthusiast

1. Combing through logs, I found the Host Profile that was outdated and removed it since it was not in use.  This cleared up one pre-upgrade issue.

2. After fighting with several certificate store changes, breaking some things by doing that and reverting back to snapshots several times, it was determined that it was an STS certificate issue (Security Token Service for SSO) described in the following KB with a solution to fix that worked for me:

VMware Knowledge Base

View solution in original post

0 Kudos
2 Replies
aj800
Enthusiast
Enthusiast

1. I checked the "upgrade-requirements.log" file and it showed the Host Profile causing the issue, so I deleted it from here: Home -> Policies and Profiles -> Host Profiles -> [Profile] -> Actions -> Delete.  Turns out to be a profile associated with a 4.1 Hardening guide (not sure how it got there, but this likely pre-dates my role).

2.  I'm still trying to figure out what the certificate issue is because in the PSC, all the certs show as valid.  Only one is expired from earlier this year, but it does not appear to be in use.  When I check the certs in a browser, they all show as valid and won't expire until a few years from now.  Is there a way to get rid of that expired cert?  There's no delete option in the PSC for it in the Trusted Root section.

0 Kudos
aj800
Enthusiast
Enthusiast

1. Combing through logs, I found the Host Profile that was outdated and removed it since it was not in use.  This cleared up one pre-upgrade issue.

2. After fighting with several certificate store changes, breaking some things by doing that and reverting back to snapshots several times, it was determined that it was an STS certificate issue (Security Token Service for SSO) described in the following KB with a solution to fix that worked for me:

VMware Knowledge Base

View solution in original post

0 Kudos