Sometimes when upgrading VSCA 6.5.x and 6.7.x to VMware vCenter Server 7.0u3.x, you can experience an SSL Trust error. This can quickly be resolved using the lsdocter tool. This post will explain in a few simple steps how you can resolve the issue.
During the Pre-upgrade check when upgrading VCSA 6.5.x and 6.7.x to VMware vCenter Server 7.0u3.x, you can experience one of these symptoms:
- Certificate specified for SSL Trust has expired
- Certificate specified for SSL Trust is not yet valid
- Certificate specified for SSL Trust cannot be parsed
- Duplicate service registrations of the same type has been detected
- SSL Trust certificate does not match the current MACHINE_SSL_CERT for one of the legacy service registrations
- A legacy service registration for SSO service has been found to still use Port 7444
- SSL Trust certificate does not match the current MACHINE_SSL_CERT for one of the service registrations
- A stale service registration has been found to be using Solution User configuration from vCenter 5.5
- A functional service registration has been found to be using Solution User configuration from vCenter 5.5
Using the ‘lsdoctor’ Tool
Lookup Service Doctor (lsdoctor) is a tool used to address issues with data stored in the PSC database, as well as data local to a vCenter (regardless of whether the PSC is external or embedded). The tool can be used to detect and correct problems that could cause failures in topology changes (converge, repoint, etc.), upgrades, or failures incurred as a result of maintenance (e.g. incorrectly applying new SSL certificates). This article will outline its functions and use.
Installing the lsdocter tool can be done in a few simple steps. To use lsdoctor, you must download WINSCP (you can use different file-moving utilities).
NOTE: If you have trouble connecting to a vCenter appliance with the error “Received too large (1433299822 B) SFTP packet. Max supported packet size is 1024000 B”, follow the steps in this article.
Use WinSCP to move the lsdoctor file onto a directory in the VCSA. Do not forget to create a backup of the VCSA. You can accomplish this by taking a cold (shutdown the appliance) snapshot of the VCSA.
- Open WinSCP and log in to the vCenter Appliance
- In this case, we installed lsdoctor in the tmp directory /tmp/lsdoctor-main
- Now open a terminal session to the VCSA using e.g. Putty
- Type shell to enter the command shell
- To change the directory type cd /tmp/lsdoctor-main
- Type python lsdoctor.py –help if you want to explore the options
- In this case, we need to use the -t, –trustfix option
- Run python lsdoctor.py -t
- Provide the password for your SSO administrator account (email@example.com)
- Fix all SSL Trust errors
Follow-up actions needed
Once the script is successfully completed, restart all services on all nodes in the SSO site.
- To stop all services type service-control –stop –all
- To start all service type service-control –start –all
Regarding the SSL Trust error, you can now proceed with stage two to upgrade the VCSA.
That’s all folks!
Please get in touch with me or leave a comment, if you have any questions or want more information on this or other topics.