Skip to main content

Unable to upgrade VCSA 6.7 to 7.0 with error Verification of the machine SSL certificate failed due to an invalid trusted root certificate chain

  Symptoms

  • Unable to upgrade VCSA 6.7 to 7.0 you get  the following error at the pre-checks for stage 2

Verification of the machine SSL certificate failed due to an invalid trusted root certificate chain. ERROR: [2, 1, 'unable to get issuer certificate'] . Unable to find the root certificate with the subject '<X509Name object '/C=US/O=/CN='>'

Regenerate the certificates using the certificate-manager utility. For more information, refer to the article https://kb.vmware.com/s/article/2112279.

 
Cause
  • There are Several trusted Root certificates that are expired and/or not in use.
  • There are several CRL's in the VCSA.
Resolution

Note/Warning: Make sure you have full backup of VCSA and take a snapshot of the vCenter prior to proceeding.

1.  Remove CRL'sfrom VCSA using Script. For more information, refer to PSC upgrade to 6.5/6.7 fails with Error: Failed to force refresh TRUSTED_ROOTS, Error : 183 (70656)

2. Unpublish the Expired certificates from the Trusted roots. For more information, refer to Removing Expired CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store (VECS) (2146011)

3. Regenerate Certificates using VMCA. For more information, refer to How to regenerate vSphere 6.x certificates using self-signed VMCA (2112283)

4. Try the upgrade again (from stage 1).

If needed to replace certificates again using Custom Certificates refer to Replacing a vSphere 6.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate (2112277)

Comments

Post a Comment

Popular posts from this blog

Troubleshooting vpxd service on Windows vCenter Server

  Symptoms You cannot connect to VMware vCenter Server with the vSphere Client. You cannot see the VMware vCenter Server in the inventory in the vSphere Web Client. You see a Microsoft Windows Event error associated with IIS similar to: Event properties - Event 7024, Service Control Manager The VMware VirtualCenter Server service terminated with service-specific error The system cannot find the file specified.. Log Name: System Source: Service Control Event ID: 7024 Level: Error Note : A windows Event ID 1000 may also be reported in relation to this issue.   Connecting to vCenter Server fails with the error: Cannot connect to host server_name : No connection could be made because the target machine actively refused it.   Attempting to start the VMware VirtualCenter Server service fails. You see this error: Windows could not start the VMware VirtualCenter Server service on...
Post a Comment
Read more

Investigating virtual machine file locks on ESXi

      Details Adding an existing virtual machine disk (VMDK) to a virtual machine that is already powered on fails.                 Failed to add disk scsi0:1. Failed to power on scsi0:1   Powering on the virtual machine results in the power on task remaining at 95% indefinitely. Cannot power on the virtual machine after deploying it from a template. Powering on a virtual machine fails with an error: Unable to open Swap File Unable to access a file since it is locked Unable to access a file <filename> since it is locked Unable to access Virtual machine configuration In the /var/log/vmkernel log file, you see entries similar to: WARNING: World: VM xxxx: xxx: Failed to open swap file <path>: Lock was not free WARNING: World: VM xxxx: xxx: Failed to initialize swap file <path>   When opening a console to the virtual machine, you may receive ...
Post a Comment
Read more

"Failed to configure vAPI Endpoint Service at the firstboot time" while installing Windows VC 6.5

  Symptoms While configuring the vAPI EndPoint Service, you experience these symptoms: Windows vCenter Server 6.5 installation fails while configuring the vAPI EndPoint Service vCenter Server 6.5 installation on a Windows Server fails during the vAPI EndPoint Service during the firstboot time. You see the error: Error: An error occurred while starting service 'vapi-endpoint'. Failed to start the vAPI Endpoint Service. Failed to configure vAPI Endpoint Service at the firstboot time. Please file a bug against VAPI   In vapi_firstboot.py_2948_stderr.log file, you see entries similar to: No valid files with pathname: C:\ProgramData\VMware\vCenterServer\logs\vapi\endpoint* found. ERROR starting vapi-endpoint rc: 2, stdout: , stderr: Start service request failed. Error: Service crashed while starting^M vapi firstboot failed Traceback (most recent call last): File "C:\Program Files\VMware\vCenter Server\firstbo...
Post a Comment
Read more