VMware Cloud Community
WinStime
Enthusiast
Enthusiast
‎10-11-2017 04:13 AM

Upgrade from vRA 7.2 to 7.3 Failed because of IAAS certificate installation

Hi,

I tryed to upgrade my vRA 7.2 to 7.3 from the VAMI UI.

The upgrade failed. Here is wat we can see in the VAMI UI :

Last Install:Failed to install updates(Error while running pre-install scripts and post-install scripts) on Monday, 2017 October 09 17:35:16 UTC+2

VA-check: finished

Pre-install: failed (code p-1)

Cannot start command to install VMware certificate.

RPM Status 1: Pre install script failed, package test and installation skipped.

Post-install: failed

Update failed (code 1-1). Check logs in /opt/vmware/var/log/vami or retry update later.

And when checking the log i have the follwing :

+ echo '2017-10-09 15:34:59 /etc/bootstrap/preupdate.d/00-00-03-upgrade-management-agents starting...'

+ /etc/bootstrap/preupdate.d/00-00-03-upgrade-management-agents 7.2.0.381 7.3.0.536

Current version is 7.2.0.381

Found 1 IaaS nodes with ids: 69A6FA97-B0C7-423E-9F57-6B1F2501225B

The new version for iaas nodes is: 7.3.0.10750

Nodes to upgrade the management agent on: 69A6FA97-B0C7-423E-9F57-6B1F2501225B

Trying to upgrade management agent

Installing VMware certificate on IaaS machine

Cannot start command to install VMware certificate.

+ res=1

+ echo 'Script /etc/bootstrap/preupdate.d/00-00-03-upgrade-management-agents failed, error status 1'

I go into the upgrade-management-agent script and in the python script, and see that it's trying to execute a remote powershell on the IAAS to install the certificate.

        print "Trying to upgrade management agent"

        if old_version_numbers[0] == 7 and old_version_numbers[1] <= 3:

            print "Installing VMware certificate on IaaS machine"

            certificate = ""

            with open('/opt/vmware/share/htdocs/service/iaas/download/scripts/PsScriptSignCert.pem', 'r') as certificate_file:

                certificate = certificate_file.read()

            arguments = ["/usr/sbin/vcac-config", "command-start",

                         "--command", "install-certificate",

                         "--parameter", "CertificateBase64String=%s" % certificate,

                         "--parameter", "StoreNames=TrustedPublisher",

                         "--parameter", "StoreLocation=CurrentUser"]

            wait_for_command_to_finish(arguments, filtered_ids,

                                       "Cannot start command to install VMware certificate.",

I also check if executing remote scripting with powershell was allowed or not and execution is set to unrestricted

When checking the IAAS log, i found the following entry telling that the certificates were successfully installed.

I raised a ticket #17592660610 to support last monday and we do webex, but nothing since monday

If anyone has some idea, tells me 🙂

thanks

0 Kudos
2 Replies
daphnissov
Immortal
Immortal
‎10-11-2017 07:19 AM

Does the service account that you're using for the management agent have restricts as imposed by GPO? When I've seen a similar situation in the past, it was due to that domain account not having software install and other permissions.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
0 Kudos
WinStime
Enthusiast
Enthusiast
‎10-11-2017 07:30 AM

That's a good point to check.

Let me check...

0 Kudos