If you’re upgrading from vSphere 5.1 to vSphere 5.5 and you ARE NOT using Custom CA SSL Certificates then you might run into an error. The error will be encountered during the upgrade of SSO, and specifically the Lookup Service, and only occurs in specific conditions, such as when using the default VMware Self-Signed Certificates. If you run into this problem your upgrade process will roll back, but leave behind some upgrade files that need to be cleaned up. This article will briefly touch on the recommended solution to this problem.
Many of you will recall the many articles that I wrote regarding updating the default self-signed SSL Certificates in vSphere 5.0 and 5.1 to Custom CA Certificates. If you haven’t seen these articles and you’re interested in SSL Security you can check out Updating CA SSL Certificates in vSphere 5.1 and Updating CA SSL Certificates in vSphere 5. To make the process of updating certificates easier VMware created the VMware Certificate Automation Tool and VMware Partner VSS Labs created vCert Manager. If you’re using CA Signed Certificates for your SSL communications between the various vCenter components then you won’t strike the problem I described above. So now might be a good time to review my previous articles and/or use one of the automation solutions that are available.
This issue during the upgrade from vCenter 5.1 to vCenter 5.5 is described in the VMware KB Article – Upgrade from vSphere 5.1 to vSphere 5.5 rolls back after importing Lookup Service data (2060511). You will likely see an error such as “Warning 25000. Please verify that the SSL certificate for your vCenter Single Sign-On 5.1 SSL is not expired. If it did expire, please replace it with a valid certificate before upgrading to vCenter Single Sign-On 5.5.” or the vCenter Upgrade will simply fail and roll back. In the vim-sso-msi.log you will see an error message like the following:
“Action 10:06:03: PostInstallScripts. Importing Lookupservice data…
CustomAction DoUpdateAndMigrateTasks returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)”
As described in the VMware KB this issue does not affect you if:
- You are using custom certificates (recommended)
- You are using the vCenter Server Virtual Appliance (only applies to the Windows version of vCenter Server)
- You are performing a fresh install of vCenter Server 5.5
- You are upgrading from:
- vCenter Server 5.0
- vCenter Server 4.x
- a fresh install of vCenter Server 5.1 Update 1a or later
For the recommended fix please refer to the VMware KB – Upgrade from vSphere 5.1 to vSphere 5.5 rolls back after importing Lookup Service data (2060511). The fix will require modifying the Windows Registry. Before any upgrade of vCenter is attempted it is recommended that you take a backup and potentially have a snapshot in place for the vCenter Database and the vCenter Server system itself so you have a point you can roll back to. This should be standard practice in most VMware environments, as should testing the upgrade process, as should upgrading test environments and management environments before upgrading production. Given that this impacts environments that have self-signed certificates it has the potential to impact a large number of customers, however as it only impacts customers upgrading from vCenter 5.1 prior to version Update 1a to vCenter 5.5, the number of impacted customers is reduced.
The easiest way to get around this problem if you’re using vCenter 5.1 would be to either run through the registry fix described in the KB article. Upgrading to vCenter 5.1 U1b will not correct the issue as it doesn’t correct the certificate. You may also choose to completely rebuild your vCenter with a fresh install of vCenter 5.5 against your existing database. Alternatively you may choose to update your vCenter Server to use CA Signed Certificates, which will also improve the security of your critical management infrastructure. Regardless of the option you choose make sure you have a backup of the vCenter Database and vCenter so you can roll back if needed.
This post first appeared on the Long White Virtual Clouds blog at longwhiteclouds.com, by Michael Webster +. Copyright © 2013 – IT Solutions 2000 Ltd and Michael Webster +. All rights reserved. Not to be reproduced for commercial purposes without written permission.
Surprising. I would hazard to guess that given the reputation of the 5.1 vcenter appliance, the difficulty of managing, the difficulty of managing 4.1 certificates, the most common deployment model is this exact scenario [default certs on a 5.1 Windows vCenter Server]. Makes me wonder what the QA matrix looks like and how its executed.
I'm experiencing the 511 KB problems, and the registry fix didn't work for me. It looks like i am either going to have to rebuild, or go with CA certs.. REALLY FRUSTRATING
I actually had CA certs on one of my 5.1 lab environments and the upgrade required a bit of work to get going. I'm still troubleshooting the problems and working with VMware Support, who are being most helpful. So watch this space for more information. I would recommend contacting VMware Support and having them work through it with you. Of the problems I've experienced or heard about they are minor in comparison to some of the problems we saw with the 5.1 upgrades, generally the feedback I'm seeing is mostly positive.
I am having the same issue, the registry fix did not work, I still get the warning at the start and the installer fails and rolls back. I do have SSO on a seperate machine and protected by Heartbeat so not sure if that's causing issues with it as well..
I had issues during my upgrade when using signed certs too. So it\’s not just self signed certs that can cause this. Suggest logging a support request and if I get more info I\’ll let everyone know. For my upgrade I uninstalled and reinstalled.
I purchase my certs through us.sslguru.com. Try opening a support ticket if you still have issues they usually reply within an hour or two. Also they have a pretty good and up to date knowledge base.
Make sure you reboot a lot in between the steps of the fix. I had to rollback to pre-SSO update, reboot, change registry, reboot, then install SSO. You will still see the warning, but it completed.
From the KB: "If the registry key value is set to the FQDN value you see in the certificate, your system is not affected by this issue."
– Mine is set correctly, but I still see the Error 25000 warning upon launching the installer. Just a heads up for anyone else working through this that even in the workaround configuration, you may still see a warning. But hopefully the installer still completes successfully.
I to had the same problem. I\’ve reported it to VMware and they are looking into it.
[…] The Trouble With SSL Certificates and Upgrading to VMware SSO 5.5 – Then I took a look at Michael Webster’s blog article on precisely the same error message. Michael briefly discusses the two SSL certificate deployment models and then digs into VMware KB 2060511 mentioned above. While the information in Michael’s blog article reassured me I was not alone in my journey, KB 2060511 didn’t solve my problem either. But sometimes the value of blog articles is not only in the original author’s content, but also in the follow up comments from the readers. Such was the case here. A number of Michael’s readers responded by saying they were essentially in the same boat I’m in – it sounds like KB 2060511, but in the end this article doesn’t have the solution. The readers found no choice but to push onward beyond Warning 25000 with fingers crossed. As it turned out in my as well as with some others, Warning 25000 was benign in nature and the installation completed successfully with no rollback. […]
HAve you tried to set the JAVA_HOME variable? I kind of had the same in a environment…
Hi Mike, have you heard back from VMware Support about the trouble ticket you logged with them? I am keen to find out as I'm going to upgrading a major customer from 5.1 to 5.5.
I believe that this problem has been fixed in the latest updates. So if you go to the latest vCenter patches then you should be ok.
[…] The Trouble With SSL Certificates and Upgrading to VMware SSO 5.5 (Long White Clouds) Single Sign-On (SSO) Improvements in vSphere 5.5 (Petri) Issues with authentication when running vSphere 5.5 with AD and SSO server on Windows Server 2012 (Shogan.tech) What is new in VMware Single Sign-On 2.0 (UP2V) A Look At vCenter 5.5 SSO RC Installation (VMware vEvangelist) Allow me to introduce you to vCenter Single Sign-On 5.5 (VMware vSphere Blog) vCenter Single Sign-On 5.5 Not Recognizing Nested Active Directory Groups (VMware vSphere Blog) vCenter Single Sign-On “Cannot parse group information” Error (VMware vSphere Blog) vCenter Single Sign-On 5.5 – Backwards Compatible? (VMware vSphere Blog) vSphere 5.5 Improvements Part 7 – Single Sign On Completely Redesigned (Wahl Network) Using Active Directory Integrated Windows Authentication with SSO 5.5 (Wahl Network) What’s New in vCloud Suite 5.5: vCenter Server SSO (WoodITWork) […]