Skip to main content

Unable to upgrade VCSA 6.7 to 7.0 with error Verification of the machine SSL certificate failed due to an invalid trusted root certificate chain

  Symptoms

  • Unable to upgrade VCSA 6.7 to 7.0 you get  the following error at the pre-checks for stage 2

Verification of the machine SSL certificate failed due to an invalid trusted root certificate chain. ERROR: [2, 1, 'unable to get issuer certificate'] . Unable to find the root certificate with the subject '<X509Name object '/C=US/O=/CN='>'

Regenerate the certificates using the certificate-manager utility. For more information, refer to the article https://kb.vmware.com/s/article/2112279.

 
Cause
  • There are Several trusted Root certificates that are expired and/or not in use.
  • There are several CRL's in the VCSA.
Resolution

Note/Warning: Make sure you have full backup of VCSA and take a snapshot of the vCenter prior to proceeding.

1.  Remove CRL'sfrom VCSA using Script. For more information, refer to PSC upgrade to 6.5/6.7 fails with Error: Failed to force refresh TRUSTED_ROOTS, Error : 183 (70656)

2. Unpublish the Expired certificates from the Trusted roots. For more information, refer to Removing Expired CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store (VECS) (2146011)

3. Regenerate Certificates using VMCA. For more information, refer to How to regenerate vSphere 6.x certificates using self-signed VMCA (2112283)

4. Try the upgrade again (from stage 1).

If needed to replace certificates again using Custom Certificates refer to Replacing a vSphere 6.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate (2112277)

Comments

Post a Comment

Popular posts from this blog

Error [403] The maximum number of sessions has been exceeded in the H5 client during login or logout

  Symptoms In virgo log, you see messages similar to: [2020-05-19T07:25:45.285Z] [ERROR] http-nio-5090-exec-130 72026859 142953 501051 com.vmware.vise.security.spring.DefaultAuthenticationProvider logout failed for sessionId 142953, clientId 501051 java.lang.IllegalStateException: The specified cardinality of 1..1 for osgi:reference implementing com.vmware.vcenter.apigw.api.ApiGatewaySessionManager in bundle com.vmware.h5ngc requires that exactly one OSGI service satisfies the filtering criteria but no such service was found.         at com.vmware.o6jia.context.ExternalServiceTargetSource.getTarget(ExternalServiceTargetSource.java:99)         at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:192)         at com.sun.proxy.$Proxy159.logout(Unknown Source)   ...
Post a Comment
Read more

Investigating virtual machine file locks on ESXi

      Details Adding an existing virtual machine disk (VMDK) to a virtual machine that is already powered on fails.                 Failed to add disk scsi0:1. Failed to power on scsi0:1   Powering on the virtual machine results in the power on task remaining at 95% indefinitely. Cannot power on the virtual machine after deploying it from a template. Powering on a virtual machine fails with an error: Unable to open Swap File Unable to access a file since it is locked Unable to access a file <filename> since it is locked Unable to access Virtual machine configuration In the /var/log/vmkernel log file, you see entries similar to: WARNING: World: VM xxxx: xxx: Failed to open swap file <path>: Lock was not free WARNING: World: VM xxxx: xxx: Failed to initialize swap file <path>   When opening a console to the virtual machine, you may receive ...
Post a Comment
Read more

"Failed to configure vAPI Endpoint Service at the firstboot time" while installing Windows VC 6.5

  Symptoms While configuring the vAPI EndPoint Service, you experience these symptoms: Windows vCenter Server 6.5 installation fails while configuring the vAPI EndPoint Service vCenter Server 6.5 installation on a Windows Server fails during the vAPI EndPoint Service during the firstboot time. You see the error: Error: An error occurred while starting service 'vapi-endpoint'. Failed to start the vAPI Endpoint Service. Failed to configure vAPI Endpoint Service at the firstboot time. Please file a bug against VAPI   In vapi_firstboot.py_2948_stderr.log file, you see entries similar to: No valid files with pathname: C:\ProgramData\VMware\vCenterServer\logs\vapi\endpoint* found. ERROR starting vapi-endpoint rc: 2, stdout: , stderr: Start service request failed. Error: Service crashed while starting^M vapi firstboot failed Traceback (most recent call last): File "C:\Program Files\VMware\vCenter Server\firstbo...
Post a Comment
Read more