In this Blog we will talk about VCF 4.4 where we were trying to do the precheck on the MGMT domain but it was failing with an error message " Upgrade precheck start failed. precheck not implemented for type SDDC_SECURITY_CONFIGURATION". The sddc reporting back the it cannot perform the precheck as it not enabled or configured . The Certificate status in the sddc manager UI is working fine and status was good . We also check the SOS check on the Certs and it was all good with GREEN . lets dive in to see how we fix the issue .
SDDC Manager : bng-sddcm-01.lab.com
Certificates : GREEN
Check the /var/log/vmware/vcf/lcm/lcm.log and the error reports precheck has not enabled.
2022-11-25T11:07:42.919+0000 DEBUG [vcf_lcm,564ac3537b064c09,f911,precheckId=b12fa641-b126-4ad2-99c6-1fa17d80f164,resourceType=SDDC_SECURITY_CONFIGURATION,resourceId=null] [c.v
.e.s.l.p.e.i.VcfServicePrimitiveImpl,Precheck-44] Data in precheckTaskNameMap for Security Configuration map is {VCF_SECURITY_CERTIFICATE_VALIDATION_ENABLED=Checks if certificate validation is enabled in VMware Cloud Foundation , KNOWN_HOSTS_HEALTH_CHECK=Checks security configuration of the known_hosts., TRUSTSTORE_HEALTH_CHECK=Checks security configuration of the trust store., MICROSOFT_CA_SERVER_CHECK=Checks security configuration of the Microsoft Certificate Authority server}
2022-11-25T11:07:42.921+0000 ERROR [vcf_lcm,564ac3537b064c09,f911,precheckId=b12fa641-b126-4ad2-99c6-1fa17d80f164,resourceType=SDDC_SECURITY_CONFIGURATION,resourceId=null] [c.v
.e.s.l.p.c.s.LcmSecurityService,Precheck-44] Certificate validation is NOT enabled
/var/log/vmware/vcf/operationmanager/operationmanager.log
2022-11-25T11:36:26.687+0000 INFO [vcf_om,0ecd9886d72ef488,b5ed] [c.v.v.o.r.a.c.OperationsManagerAbout,http-nio-127.0.0.1-7300-exec-5] Getting Operations Manager service info
2022-11-25T11:36:29.259+0000 DEBUG [vcf_om,0000000000000000,0000] [c.v.v.s.c.s.SecurityConfigurationServiceImpl,pool-1-thread-1] Security config retrieved {"certificateValidationEnabled":false,"fipsMode":false}
WorkAround :
Confirmed We didn't had any Certificate issue from the SOS and the logs .
Changed the option back to enabled by running the command "curl -X POST -H "Content-Type: application/json" -d '{"fipsMode":false,"certificateValidationEnabled":true}' http://localhost/appliancemanager/securitySettings"
After which the precheck for the Certifcate was passed without any issues.
Comments