Upgrading VMware vCenter (VCSA) 7.0.3 to 8.0.2 fails with Regenerate certificates for SSO and try again.

Upgrading VMware vCenter (VCSA) 7.0.3 to 8.0.2 fails with Regenerate certificates for SSO and try again.

We just started a upgrade process of VCSA 7.0.3 to the lastest build of VCSA 8.0.2. The customer migrated the VCSA from 5.5 > 6.0 > 6.5 and 7.0. When we were in stage 2 of upgrade, the validation failed on the “Regenerate certificates for sso and try again”

Please do a SNAPSHOT or BACKUP of your VCSA, before follow steps below

So we connected to the VCSA source appliance and run certification manager (/usr/lib/vmware-vmca/bin/certificate-manager). We choose the option 8 -„Reset all Certificates“ and answer the required information. Wait few minutes, the services in VCSA are restarted.

We thought that if we started the validation in stage 2 again, that the problem would go away, not nothing happens – we still had the same error with sso certificates.

When we tried to check the certificate on the vcenter UI, the cert was sucessfully renewed. But when we put the

https://<vcenter/psc fqdn>:7444/lookupservice/sdk we got a old expired certificate and this was a main issue.

The next steps was 

Regenerate a new VMCA Root Certificate and replace all certificates (option 4 in cert manager)

• Download the attached fixsts.sh script from this article and upload to the impacted PSC or vCenter Server with Embedded PSC to the /tmp folder.
• If the connection to upload to the vCenter by the SCP client is rejected, run this from an SSH session to the vCenter:# chsh -s /bin/bash
• Connect to the PSC or vCenter Server with an SSH session if you have not already per Step 2.
• Navigate to the /tmp directory:# cd /tmp
• make the file executable:# chmod +x fixsts.sh
• Run the script:# ./fixsts.sh
• Restart services on all vCenters and/or PSCs in your SSO domain by using below commands:# service-control –stop –all && service-control –start –all
• run a /usr/lib/vmware-vmca/bin/certificate-manager and choose option 4 – Regenerate a new VMCA Root Certificate and replace all certificates
• reboot the VCSA appliance

after restart of VCSA, we checked  the https://<vcenter/psc fqdn>:7444/lookupservice/sdk and cert was still expired.

we still didn’t understand why the STS certificate was not being renewed, but the answer was the upgrade path from VCSA 5.5.

Modify the below file:

• /usr/lib/vmware-sso/vmware-sts/conf/server.xml
• Modify the 2 entries in the server.xml which has „STS_INTERNAL_SSL_CERT“ to „MACHINE_SSL_CERT“ .
• restart services – service-control –stop –all && service-control –start –all

Now are you able to sucessfully continue with stage 2 of upgrade VCSA to 8.0.2.