To support ESXi 7.x we required an upgrade to our Virtual Center Server Appliance which was on version 6.7. The upgrade itself was as follows:
1. Your host must be ESXi 6.5 or later as per the following VMware link. I went with a fresh ESXi 7.0 install as the host would not upgrade due to HPE customizations.
2. Install the new VCSA 7 virtual appliance and run the upgrade wizard.
3. Make sure you have application backups / snapshosts of existing VCSA appliance.
Ok so it seemed like straight forward task. However like with any infrastructure upgrade I ran into a few issues:
1. When upgrading ESXi 6.0 on a HP DL380 custom image, there was an unsupported driver that needed removing for upgrade to proceed.
2. When upgrading VCSA 6.7 to version 7 I encountered the following error:
Error
A vCenter Single Sign-On endpoint certificate validation error has occurred.
Resolution
Ensure that the endpoint service registrations in vmdir match their corrsponding machine SSL certificates in VECS. For more information, see Knowledge Base article KB 2121701.
Our VCSA 6.7 was using an Active Directory CA certificate for the “machine cert” so that when using the UI, browsers would not pop for untrusted connection etc. The issue was that when running the validation check to upgrade to VCSA 7.x the certifcate for machine didnt match all the other ones in VCSA back end. To fix this I came across a VMware communities article that had a python tool attached which automates the process in KB 2121701.
Link to the SSL Fixer .py tool
Run the tool on the source VCSA – in my case that was 6.7 to fix up your machine certs and then run the upgrade wizard again. This then passed the validation check and allowed the upgrade to proceed.
Copy the file to lstool scripts folder.
For vCSA path:
# /usr/lib/vmidentity/tools/scripts
Run the below commands:
# python ls_ssltrust_fixer_p3.py -f scan
#python ls_ssltrust_fixer_p3.py -f fix
Comments