vCenter 5.0 to 5.5 Upgrade fails due to an expired SSL Certificate

Posted by Aruna Lakmal on 9:32:00 PM with No comments
We encountered with this issue while we were in the middle of vCenter 5.0 to 5.5 Upgrade. Our initial plan was to upgrade the existing vCenter 5.0 as a 5.5 simple installation. This was an old setup and we didn't have any idea about the installation date and the time of the vCenter Server, we ended up with this error and vCenter was failed to upgrade as we expected. 

According to this KB article, vCenter default SSL certificates of vCenter Server are valid for "10" years and that of ESX/ESXi 4.x/5.x are valid for a period of "11.5" years. There are lots of articles to regenerate the existing SSL certificate using the Open SSL and we were not in a situation where we use it and regenerate the SSL certificates. Unfortunately, we could not try that and I can't give you a honest comment on the Open SSL regeneration.  

We checked the vCenter SSL certificate which is in the "C:\ProgramData\VMware\VMware Virtual Center\SSL" folder and noticed something. See my below screen capture. 

The last modified date is 10 years back and this certificate was already expired and that lead us to this situation. Finally, we decided to uninstall the vCenter 5.0 server and reinstall the same version with the same database. Make sure to take the database backup of your vCenter before we start the reinstalltion. One thing I would like to mention here once you uninstall the vCenter server you need to cut and paste the SSL certificate to a different place. otherwise it won't change the SSL certificate which means it use the same SSL certificate and you are not able to perform the upgrade.

I recommend to re-install the the vCenter server in the same directory without changing the directory location. Also, make sure to select "Do not overwrite, leave my existing database in place" option while the installation.

After successful re-installation of the server we checked the SSL certificate folder. It's great to see that the new SSL certificate in place and last modified date is updated.

It is a green light to the next step and checked the vCenter server functionality by login to the vCenter using the vSphere client.

See my below output of the vCenter inventory. All the hosts were disconnected and below Warning was displayed in the summary tab.

This cased behind this is it was failed to Decrypt the root password since it was encrypted using the old SSL certificate. Once you are re-connecting the hosts you might see the below error message due to this password issue.

Anyway, proceed with the host reconnect task to your vCenter it will regenerate the relevant password encryption with the new SSL certificate.

Ok, now it's time to perform the actual 5.5 upgrade and mount the ISO to your vCenter and perform the upgrade. My installation method is simple installation, but I would suggest install each and every role one by one as a custom installation rather than perform the simple installation from the installation wizard.

Select the "Keep my existing database" in the Inventory Installation

Make sure to take a backup of your new SSL certificate before you proceed with the Upgrade.

I would recommend to select the "Automatic" as the vCenter Agent Upgrade method.

Wait until it performs the DB upgrade.

This is the way that I upgraded my very old vCenter server and I believe this will help you to find some answers for your questions.

Thank you for reading my post.