VMware Cloud Community
JustyC
Enthusiast
Enthusiast
Jump to solution

vCenter 5.0 Upgrade to 5.5 Questions

We are planning to upgrade our vCenter 5.0 to 5.5.  All existing certificates are VMware default 1024 bit and are expired.  We have not decided if we want to use the VMware default

certificates or get signed certificates from an outside CA.  Would we need to have certificates in place and tested before we start the upgrade or let the upgrade install new default

2048 certificates for each component.  If we wanted to use certificates signed by an outside CA (VeriSign) how much trouble would it be to do the switch after the upgrade ?  Also, would it

be OK to do the upgrade during normal business hours as we have about 6 engineers who use vCenter daily.  Any other recommendations for upgrading vCenter would be appreciated.

Thanks.

Reply
0 Kudos
1 Solution

Accepted Solutions
blabarbera
Enthusiast
Enthusiast
Jump to solution

That I don't know. I didn't start messing with certs and vCenter until 5.1, but according to a quick search it looks like it's something that started affecting upgrades to 5.0. (VMware KB: After upgrading to vSphere 5, you see the HA error: vSphere HA Cannot be configured on th...)

In the ESXi/SSL part of the article (Part 19) it is mentioned briefly. It's recommended to remove the host(s) from vCenter prior to updating the certs, and then reconnect them once done. I did a 5.5 host recently and forgot this step. The result was that the host got stuck in a perpetual election cycle.

View solution in original post

Reply
0 Kudos
9 Replies
vfk
Expert
Expert
Jump to solution

Any particular reason that is driving you to have outside CA for vSphere environment.  You could probably getaway with just using Microsoft CA, which is a common practise.


I have done most of my upgrades during business, schedule maintenance window of course, rolling upgrade but you have to keep in other of other application that use vcenter to function such veeam or other vmware products if you are using any, i,e,  If you are using vDS that is something else to think about as well.   During the upgrade obviously you will be able to make changes to your environment. 


How many hosts do you have in your environment?

--- If you found this or any other answer helpful, please consider the use of the Helpful or Correct buttons to award points. vfk Systems Manager / Technical Architect VCP5-DCV, VCAP5-DCA, vExpert, ITILv3, CCNA, MCP
JustyC
Enthusiast
Enthusiast
Jump to solution

Trying to understand certificates a little better myself in order to make a decision on whether to use VMware default certificates.  There may also be a corporate security policy that mandates signed certs from an outside CA.

I'm checking on that today.  We do have another group here that deals with signed certificates from Verisign.  They say they need a valid "outside" IP address to go with the fully qualified name, which doesn't seem correct as vCenter will only be accessed from inside the firewall.  As long as we have a DNS entry on our internal DNS server we should be good.  Would there be any issues with VPN access and the certificates ?   We do not use VDS at this time so I guess that is good.  We have 30 hosts - half are ESX 4.0 and the rest are ESXi 5.0 U2.  We plan to replace the server hardware on the 4.0 hosts and rebuild them from scratch to 5.5.  At a later date use Update Manager to update the 5.0 hosts to 5.5.

Reply
0 Kudos
vervoortjurgen
Hot Shot
Hot Shot
Jump to solution

Personally i wouldn't bother with the certificates. use the vmware or MS CA unless you have cloud director like vfk says. upgrade depends how your environment is build. single server? multiple servers? (SSO servers, vcenter inventory servers, etc..) read the installation/upgrade guide and follow the steps.  i always do an upgrade outside the business hours because its just easier, and you dont have to worry about somebody needing it

also look at your business and how your cluster is build.(DRS, DPM etc..)

if you have enough esx hosts and you can power down one then you can upgrade esx even during business hours. if not, do it outside business hours

you can install CA after you upgrade but i think you need to tweak some stuff and reconnect SSO to vcenter inventory service. during installation you accept a certificate from vmware.

FYI !! Make backups before you start !! Smiley Happy

If vcenter is running virtual make a replica with veeam backup or other software.

with regards

kind regards Vervoort Jurgen VCP6-DCV, VCP-cloud http://www.vdssystems.be
JustyC
Enthusiast
Enthusiast
Jump to solution

Our vCenter server runs all components except the database, which is on a separate server.  Both servers are physical.  We have only 1 install of vCenter - no multi-link.  We are planning on installing SSO on the vCenter server, not  a separate server.  Yes we have DRS, no we do not use DPM.  I agree using the VMware supplied default certificates would be much easier.  Any idea how long the upgrade to 5.5 would take ? 

Reply
0 Kudos
vfk
Expert
Expert
Jump to solution

The general guidelines are to follow the KISS principle unless otherwise there is a business need or requirement.  One of the things I have done with my current environment is move from physical vCenter to vCenter as VM, All components installed on single server except database. Virtual vCenter is definitely the way to go...you get all the benefit vSphere HA and snapshot and so on.

--- If you found this or any other answer helpful, please consider the use of the Helpful or Correct buttons to award points. vfk Systems Manager / Technical Architect VCP5-DCV, VCAP5-DCA, vExpert, ITILv3, CCNA, MCP
Reply
0 Kudos
blabarbera
Enthusiast
Enthusiast
Jump to solution

Updating the certs on the VCSA is a bit easier than on a physical vCenter server, but there is still a bit of a learning curve. I've done a VCSA 7 or 8 times, and once you do it once or twice it's not so bad.

Unless a component is internet facing there is really no need to use an outside CA. Setting up an online Microsoft CA is your best bet, and then you can mint your own certs as much as you need to.

The first time I did a cert swap on a physical vCenter server I read this guide - http://www.derekseaman.com/2013/10/vsphere-5-5-install-pt-5-ssl-deep.html - which is part of a larger vSphere 5.5 installation guide. The beauty of it is that he created his own tool which will walk you through the process of creating the CSR's, minting the certs, and installing them in the appropriate order. There are a few intermediate steps that need to be taken as well, which are also covered. If you've never done it before I would definitely start here, as he goes very in depth on how SSL works within vCenter, the order in which things need to be done, cert requirements, etc.

You're going to run into a few gotcha's if you're using HA, as you will have to remove the hosts from any HA clusters in order to update the cert thumbprints. When you update the ESXi certs HA is going to break until you do so.

Read that guide and check out the tool. As far as the time to update? That depends on your environment. Just make sure you follow the update sequence - VMware KB: Update sequence for vSphere 5.5 and its compatible VMware products

Reply
0 Kudos
JustyC
Enthusiast
Enthusiast
Jump to solution

We will eventually run vCenter as a VM, but have been hesitant so far as we've had numerous issues with our iSCSI storage system.  We are working with our storage vendor and VMware Support to rectify the problems.  If vCenter were a VM and we lost control of the host it runs on then we might have a difficult time managing the environment. 

Reply
0 Kudos
JustyC
Enthusiast
Enthusiast
Jump to solution

Reading through all the segments of the upgrade article now.  Very informative. You mentioned possible HA issues on ESXi hosts and the certs.  We currently have some ESX 4.0 clusters

that we plan to upgrade at a later date.  I guess there wouldn't be any certificate\HA issues with the ESX 4.0 hosts ? 

Reply
0 Kudos
blabarbera
Enthusiast
Enthusiast
Jump to solution

That I don't know. I didn't start messing with certs and vCenter until 5.1, but according to a quick search it looks like it's something that started affecting upgrades to 5.0. (VMware KB: After upgrading to vSphere 5, you see the HA error: vSphere HA Cannot be configured on th...)

In the ESXi/SSL part of the article (Part 19) it is mentioned briefly. It's recommended to remove the host(s) from vCenter prior to updating the certs, and then reconnect them once done. I did a 5.5 host recently and forgot this step. The result was that the host got stuck in a perpetual election cycle.

Reply
0 Kudos