OPERATIONAL DEFECT DATABASE
...
...
vCenter Upgrade from 6.x to 6.7 failed while registering Analytics Service with Component Manager due to cert validation failure.Issue can also be caused while migrating a vCenter server to 6.7 with below error analytics_firstboot.py_xxxx_stderr.log: 2019-02-12T13:36:10.042Z Failed to register Analytics Service with Component Manager: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:719)2019-02-12T13:36:10.045Z Traceback (most recent call last): File "/usr/lib/vmware-analytics/firstboot/analytics_firstboot.py", line 181, in register_with_cm cloudvm_sso_cm_register(keystore, cisreg_spec, key_alias, dyn_vars, isPatch=is_patch) File "/usr/lib/vmware-cm/bin/cloudvmcisreg.py", line 706, in cloudvm_sso_cm_register serviceId = do_lsauthz_operation(cisreg_opts_dict) File "/usr/lib/vmware/site-packages/cis/cisreglib.py", line 997, in do_lsauthz_operation ls_obj = LookupServiceClient(ls_url, retry_count=60) File "/usr/lib/vmware/site-packages/cis/cisreglib.py", line 307, in __init__ self._init_service_content() File "/usr/lib/vmware/site-packages/cis/cisreglib.py", line 287, in do_retry return req_method(self, *args, **kargs) File "/usr/lib/vmware/site-packages/cis/cisreglib.py", line 297, in _init_service_content self.service_content = si.RetrieveServiceContent() File "/usr/lib/vmware/site-packages/pyVmomi/VmomiSupport.py", line 557, in <lambda> self.f(*(self.args + (obj,) + args), **kwargs) File "/usr/lib/vmware/site-packages/pyVmomi/VmomiSupport.py", line 363, in _InvokeMethod return self._stub.InvokeMethod(self, info, args) File "/usr/lib/vmware/site-packages/pyVmomi/SoapAdapter.py", line 1385, in InvokeMethod conn.request('POST', self.path, req, headers) File "/usr/lib/python3.5/http/client.py", line 1107, in request self._send_request(method, url, body, headers) File "/usr/lib/python3.5/http/client.py", line 1152, in _send_request self.endheaders(body) File "/usr/lib/python3.5/http/client.py", line 1103, in endheaders self._send_output(message_body) File "/usr/lib/python3.5/http/client.py", line 934, in _send_output self.send(msg) File "/usr/lib/python3.5/http/client.py", line 877, in send self.connect() File "/usr/lib/vmware/site-packages/pyVmomi/SoapAdapter.py", line 1032, in connect six.moves.http_client.HTTPSConnection.connect(self) File "/usr/lib/python3.5/http/client.py", line 1261, in connect server_hostname=server_hostname) File "/usr/lib/python3.5/ssl.py", line 385, in wrap_socket _context=self) File "/usr/lib/python3.5/ssl.py", line 760, in __init__ self.do_handshake() File "/usr/lib/python3.5/ssl.py", line 996, in do_handshake self._sslobj.do_handshake() File "/usr/lib/python3.5/ssl.py", line 641, in do_handshake self._sslobj.do_handshake()ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:719) During handling of the above exception, another exception occurred Traceback (most recent call last): File "/usr/lib/vmware-analytics/firstboot/analytics_firstboot.py", line 288, in main fb.register_with_cm(analytics_int_http, is_patch) File "/usr/lib/vmware-analytics/firstboot/analytics_firstboot.py", line 192, in register_with_cm problem_id='install.analytics.cmregistration.failed')cis.baseCISException.BaseInstallException: { "componentKey": "analytics", "problemId": "install.analytics.cmregistration.failed", "detail": [ { "translatable": "Analytics Service registration with Component Manager failed.", "localized": "Analytics Service registration with Component Manager failed.", "id": "install.analytics.cmregistration.failed" } ], "resolution": { "translatable": "Please search for these symptoms in the VMware Knowledge Base for any known issues and possible resolutions. If none can be found, collect a support bundle and open a support request.", "localized": "Please search for these symptoms in the VMware Knowledge Base for any known issues and possible resolutions. If none can be found, collect a support bundle and open a support request.", "id": "install.analytics.cmregistration.failed.res" }}2019-02-12T13:36:10.045Z VMware Analytics Service firstboot failed
The issue is caused: When the machine SSL cert chain is not validated.If the root certificate of the Issuing authority of the machine ssl certificate is not available in the TRUSTED_ROOTS store.In case of custom certificate the entire chain of certificate (intermediate CA as well as the root CA) should be available in the TRUSTED_ROOTS store.
To resolve the issue: Publish the missing certificate to the TRUSTED_ROOTS store. VCSA : /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert <path_of_the_cert>Windows : "%VMWARE_CIS_HOME%"\vmafdd\dir-cli trustedcert publish --cert <path_of_the_cert> If the VC is upgraded from 5.x environment then it may have machine ssl cert issued VMware Installer, in such situation regenerate the machine ssl certificate as it would not be possible to get hold of the Vmware Installer certificate. For more details, refer to Replacing the vSphere 6.0 Machine SSL certificate with a VMware Certificate Authority issued certificate (2112279) Note : Re-generating the machine SSL certificate would be helpful in all scenarios.
cert ; Analytics Service ; vCenter Upgrade ; ROOTS store ; certificate ; issued VMware ; dir-cli trustedcert ; chain ; support request ; validation failure ; Component Manager ; environment ; vmware-vmafd ; resolutions
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
