Symptoms
Unable to upgrade VCSA 6.7 to 7.0 you get the following error at the pre-checks for stage 2
Verification of the machine SSL certificate failed due to an invalid trusted root certificate chain. ERROR: [2, 1, 'unable to get issuer certificate'] . Unable to find the root certificate with the subject '<X509Name object '/C=US/O=/CN='>'
Regenerate the certificates using the certificate-manager utility. For more information, refer to the article https://kb.vmware.com/s/article/2112279.
Cause
There are Several trusted Root certificates that are expired and/or not in use.There are several CRL's in the VCSA.
Resolution
Note/Warning: Make sure you have full backup of VCSA and take a snapshot of the vCenter prior to proceeding.1. Remove CRL'sfrom VCSA using Script. For more information, refer to PSC upgrade to 6.5/6.7 fails with Error: Failed to force refresh TRUSTED_ROOTS, Error : 183 (70656)
2. Unpublish the Expired certificates from the Trusted roots. For more information, refer to Removing Expired CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store (VECS) (2146011)
3. Regenerate Certificates using VMCA. For more information, refer to How to regenerate vSphere 6.x certificates using self-signed VMCA (2112283)
4. Try the upgrade again (from stage 1).
If needed to replace certificates again using Custom Certificates refer to Replacing a vSphere 6.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate (2112277)
