Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Upgrading or Patching vCenter Server to 8.0 U2a or above versions shows following pre-check error message: VMCA root certificate validation failed.VMCA root certificate does not have 'Subject Key Identifier' extension.Suggested Resolution: VMCA root certificate on vCenter needs to be regenerated. Refer to VMware KB 94840 for more details. Patching to 8.0 U2 fails with any of below failures : Failure while generating 'wcp' certificate /var/log/vmware/applmgmt/PatchRunner.log will show similar to below snippets :2023-09-27T01:37:47.391Z wcp:Patch ERROR root Failed to update solution user wcp.Traceback (most recent call last): File "/usr/lib/vmware-wcp/py-modules/wcpconfigure.py", line 352, in update self._gen_cert() File "/usr/lib/vmware-wcp/py-modules/wcpconfigure.py", line 192, in _gen_cert invoke_command( File "/usr/lib/vmware/site-packages/cis/utils.py", line 372, in invoke_command raise InvokeCommandException(errStr='Command: %s\nStderr: %s' %\cis.exceptions.InvokeCommandException: { "detail": [ { "id": "install.ciscommon.command.errinvoke", "translatable": "An error occurred while invoking external command : '%(0)s'", "args": [ "Command: ['/usr/lib/vmware-vmca/bin/certool', '--server=vc1.vmware.com', '--genCIScert', '--dataencipherment', '--privkey=/tmp/wcp_r2t4vosr.priv', '--cert=/tmp/wcp_fotsa0sr.crt', '--Name=wcp']\nStderr: " ], "localized": "An error occurred while invoking external command : 'Command: ['/usr/lib/vmware-vmca/bin/certool', '--server=vc1.vmware.com', '--genCIScert', '--dataencipherment', '--privkey=/tmp/wcp_r2t4vosr.priv', '--cert=/tmp/wcp_fotsa0sr.crt', '--Name=wcp']\nStderr: '" }2023-09-27T01:37:47.392Z wcp:Patch ERROR wcp Failed to apply patch %s! Error: %s.2023-09-27T01:37:47.392Z wcp:Patch ERROR wcp Not all patches were applied. Latest applied patch is 12023-09-27T01:37:47.392Z wcp:Patch ERROR vmware_b2b.patching.executor.hook_executor Patch hook 'wcp:Patch' failed. /var/log/vmware/applmgmt/update_microservice.log will show similar to below snippets :2023-09-27T01:37:47.390Z Done running command\n"error=b"2023-09-27T01:37:47.390Z Invoked command: ['/usr/lib/vmware-vmca/bin/certool', '--server=vc1.vmware.com', '--genCIScert', '--dataencipherment', '--privkey=/tmp/wcp_r2t4vosr.priv', '--cert=/tmp/wcp_fotsa0sr.crt', '--Name=wcp']\n2023-09-27T01:37:47.390Z RC = 124\nStdout = Error: 70012, VMCAGetSignedCertificatePrivate() failedStatus : Failed\nError Code : 70012\nError Message : Invalid CSR field\n\nStderr = \n" vCenter Server major upgrade from 6.x or 7.x to 8.0 U2 fails with any of below errors "Failed to create data encipherment cert with hostname/ip"/var/log/firstboot/vpxd_firstboot.py_xxxx_stderr.log2023-09-27T13:59:02.247Z Invoked command: ['/usr/lib/vmware-vmca/bin/certool', '--server=vc2.vmware.com', '--genCIScert', '--dataencipherment', '--privkey=/etc/vmware-vpx/ssl/tmp-data-encipherment.key', '--cert=/etc/vmware-vpx/ssl/tmp-data-encipherment.crt', '--Name=data-encipherment', '--FQDN=vc2.vmware.com']2023-09-27T13:59:02.247Z RC = 124Stdout = Error: 70012, VMCAGetSignedCertificatePrivate() failedStatus : FailedError Code : 70012Error Message : Invalid CSR fieldStderr =2023-09-27T13:59:02.247Z VirtualCenter firstboot failed Any Certificate replacement on vCenter Server after upgrading to 8.0 U2 fails with below error message : Error: 70012, VMCAGetSignedCertificatePrivate() failedStatus : FailedError Code : 70012Error Message : Invalid CSR field
This issue is caused due to old VMCA Root Certificate without Subject Key Identifier extension. This generally happens if the VMCA Root was carry forwarded from version 5.5 as part of upgrades.
Note: Regenerating Root Certificate will by default replace Machine SSL and Solution User Certificates. If the vCenter Server is using Custom Certificates for Machine SSL and Solution users, these certificates needs to be replaced again with the Custom Certificate after following below procedure.To resolve the issue, regenerate the VMCA Root Certificate and associated Machine SSL and Solution User Certificates by following any of below methods. If the source is Windows vCenter Server (migration scenario), please use the Certificate Manager Utility to replace the Certificates as fixcerts script will work only on vCenter Server Appliance (VCSA)Using Certificate Manager Utility : Login to vCenter ServerExecute Certificate Manager On VCSA: /usr/lib/vmware-vmca/bin/certificate-manager On Windows VC:C:\Program Files\VMware\vCenter Server\vmcad\certificate-managerNote: The path listed is for default installation of vCenter Server. If you have customized the installation location of vCenter Server, change the directory accordingly.. Select Option 4 or 8 : | 4. Regenerate a new VMCA Root Certificate and replace all certificates | 8. Reset all Certificates Note : Use Ctrl-D to exit.Option[1 to 8]: Enter the SSO Administrator Credentials and the fields for the CertificateContinue with the Certificate Replacement by Entering 'Y' Refer KB How to use vSphere Certificate Manager to Replace SSL Certificates for more details on Certificate Manager Utility.Using fixcerts python utility (works only on VCSA): Login to VCSA using PuttyDownload the fixcert.py utility from https://via.vmw.com/fixcertsCopy the utility to VCSA using WinScp or Copy/Paste using 'vi' editorExecute the script with following parameters to replace VMCA Root Certificate, Machine SSL Certificate and Solution User Certificates python fixcerts.py replace --certType root Restart all the services if you are skipping the restart by fixcerts utility service-control --stop --all && service-control --start --all Refer to KB How to Replace Expired Certificates on vCenter Server using Fixcerts Python Script for more details on fixcerts script.