OPERATIONAL DEFECT DATABASE
...
...
Unable to upgrade VCSA 6.7 to 7.0 you get the following error at the pre-checks for stage 2 Verification of the machine SSL certificate failed due to an invalid trusted root certificate chain. ERROR: [2, 1, 'unable to get issuer certificate'] . Unable to find the root certificate with the subject '<X509Name object '/C=US/O=/CN='>' Regenerate the certificates using the certificate-manager utility. For more information, refer to the article https://kb.vmware.com/s/article/2112279.
There are Several trusted Root certificates that are expired and/or not in use.There are several CRL's in the VCSA.
Note/Warning: Make sure you have full backup of VCSA and take a snapshot of the vCenter prior to proceeding.1. Remove CRL'sfrom VCSA using Script. For more information, refer to PSC upgrade to 6.5/6.7 fails with Error: Failed to force refresh TRUSTED_ROOTS, Error : 183 (70656) 2. Unpublish the Expired certificates from the Trusted roots. For more information, refer to Removing Expired CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store (VECS) (2146011) 3. Regenerate Certificates using VMCA. For more information, refer to How to regenerate vSphere 6.x certificates using self-signed VMCA (2112283) 4. Try the upgrade again (from stage 1). If needed to replace certificates again using Custom Certificates refer to Replacing a vSphere 6.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate (2112277)
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
