Solved: upgrade 6.7u3 to 7.0 cert issues - Page 2

gjbrown · ‎07-17-2020

attempting to upgrade my lab from 6.7u3.latest to 7.0.latest

new VCSA VM deploys ok, but during pre-check get the following error:

Error

A vCenter Single Sign-On endpoint certificate validation error has occurred.

Resolution

Ensure that the endpoint service registrations in vmdir match their corrsponding machine SSL certificates in VECS. For more information, see Knowledge Base article KB 2121701.

I have already gone through the KB to no avail. I have also gone through and reset all certs (cert manager option 8).

Anyone have any guidance or suggestions?

Thanks,

-GB

scsigate · ‎01-10-2021

Hi sudeshnas,

thanks for that pyton script. that did the trick for my upgrade.

Cheers,

IKT_Bee · ‎02-07-2021

Hello,

thx for the script, but it seems on my side some modules are missing, how can i add/import them?
Sorry to ask but i have no phyton knowloge 😞

THX!

root@srvvmvcsa [ /usr/lib/vmidentity/tools/scripts ]# python ls_ssltrust_fixer.py -f scan
Traceback (most recent call last):
File "ls_ssltrust_fixer.py", line 16, in <module>
import lstoolutil
File "/usr/lib/vmidentity/tools/scripts/lstoolutil.py", line 7, in <module>
import urlparse
ModuleNotFoundError: No module named 'urlparse'

cdsharp · ‎03-25-2021

This fixed my issue. Thanks!

StefanGM · ‎04-07-2021

Hello,

Unfortunately I have the same issue.

When I run the scan it finds 6 mismatches but when I run the fix it does not update them

Running function 'fix'
Fix phase 1: Reading IDs with incorrect certificate from scan results
Using mismatch ID list from: /var/log/ls_ssltrust_fixer/mismatchIDs
SSO administrator user (Default:Administrator@vsphere.local):administrator@vsphere.local
Password for administrator@vsphere.local:
Fix phase 2: Collecting site topology information
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
*** 0 endpoints for 0 service IDs updated with current cetificates and trust ***
Completed running function 'fix'

Any ideas?

MikeBauer · ‎06-29-2021

I keep getting an error when running the scan:

It gives me an UnboundLocalError: local variable 'endpointurl' referenced before assignment

MikeBauer · ‎06-29-2021

I was able to make it work by manually creating the local variable with the name of the vCenter with the internal PSC

systeembhr_sboh · ‎03-13-2022

Hi gjbrown,

I used the ls_ssltrust_fixer_p3.py to fix the certificates but when i run the upgrade it still fails on the on the wcp-firstboot message:

Did you find a fix for this ?

In the vmware kb 82634 , the workaround that would fix this , should be a entry in the /etc/hosts (the new vcsa)

x.x.x.x vcenter.noa.local > i used this entry but the installer 2 fase removes this entry so i did not work

022-03-12T18:51:40.247Z INFO wcp-firstboot WCP storage user does not exists, create the user.
2022-03-12T18:51:40.247Z INFO wcp-firstboot Creating ServiceAccount client...
2022-03-12T18:51:40.325Z Further filtering retrieved service registration list on hostname : vcenter.noa.local
2022-03-12T18:51:40.335Z INFO wcp-firstboot Creating service account...
2022-03-12T18:51:40.335Z INFO wcp-firstboot Initializing ServiceAccount session...
2022-03-12T18:51:43.356Z ERROR wcp-firstboot Unexpected error creating ServiceAccount {messages : [LocalizableMessage(id='com.vmware.vcenter.svcaccountmgmt.error', default_message='Exception found (Internal Server Error, VMware directory error[9127])', args=['Internal Server Error, VMware directory error[9127]'], params=None, localized=None)], data : None, error_type : ERROR}
2022-03-12T18:51:43.357Z ERROR wcp-firstboot Failed to create service account for workload storage
Traceback (most recent call last):
File "/usr/lib/vmware-wcp/py-modules/wcpconfigure.py", line 362, in _create_storage_user
password = svcacctmgmt_client.create_svc_account(self._user_name)
File "/usr/lib/vmware-wcp/py-modules/svcacctmgmt.py", line 90, in create_svc_account
raise er
File "/usr/lib/vmware-wcp/py-modules/svcacctmgmt.py", line 84, in create_svc_account
svcacct_pwd_out = svcacct_client.create(create_spec)
File "/usr/lib/vmware-wcp/py-modules/vapi-bindings/com/vmware/vcenter/svcaccountmgmt_client.py", line 340, in create

Mkei · ‎07-25-2022

I am having the same issue, the upgrade stopped at 89% with the error message "WCP service installation failed.....". It seems we have a mismatch sAMAccountName and cn name. I tried https://kb.vmware.com/s/article/82634?lang=en_US using the 6.7 vcenter ip address with the cn name, and it does not work for me. Does anyone how to resolve it?

BigMike23 · ‎07-25-2022

Thanks for the script, it was very helpful for me and others.

ArneArne · ‎10-12-2022

official vmware lsdoctor wrecked my vcenter 6.7, the upgrade prograde didn't recognize the vcenter appliance anymore as such, reverted the snapshot, tested and used your script. result!!

well done

MRRamsay · ‎06-12-2023

When the script is run in a VCenter for Windows server, it throws the following error:

Traceback (most recent call last):
File "ls_ssltrust_fixer_p3.py", line 16, in <module>
import lstoolutil
ImportError: No module named lstoolutil

lstoolutil is located in the C:\Program Files\VMware\vCenter Server\VMware Identity Services\lstool\scripts folder.

Ridgy · ‎09-16-2023

Running into same issues

python ls_ssltrust_fixer_p3.py -f scan
Running function 'scan'
Scan Phase1: Getting service IDs
Traceback (most recent call last):
File "ls_ssltrust_fixer_p3.py", line 368, in <module>
main()
File "ls_ssltrust_fixer_p3.py", line 356, in main
_doScan()
File "ls_ssltrust_fixer_p3.py", line 200, in _doScan
rc, ids = lstoolcommunicate(["list","--no-check-cert","--url",lsUrl,"--id-only"])
File "ls_ssltrust_fixer_p3.py", line 43, in lstoolcommunicate
java = lstoolutil._get_java()
File "/usr/lib/vmidentity/tools/scripts/lstoolutil.py", line 215, in _get_java
if os.environ.has_key('VMWARE_JAVA_HOME'):
AttributeError: '_Environ' object has no attribute 'has_key'

All

upgrade 6.7u3 to 7.0 cert issues