Fixing vCenter SHA-1 Validation Precheck Error During VCF 5.2.1 Upgrade

When upgrading to VMware Cloud Foundation (VCF) 5.2.1, the upgrade precheck phase plays a critical role in ensuring the environment meets all the prerequisites. One common issue encountered during this stage is the SHA-1 validation failure on vCenter Server. In this blog, we’ll look into the root cause of this error, and how to resolve it.

💥 Error Overview

During the precheck validation for VCF 5.2.1, the process may fail with an error indicating the presence of SHA-1 signed certificates in your vCenter environment:

This blocks the upgrade path, even if your environment is functioning normally

ERROR vSphere SHA-1 validation failed

High: Do not perform upgrade without addressing this issue.

Check the /var/log/vmware/vcf/operationsmanager/assessment/pythonvalidations/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/artifacts/vsphere-sha1-validation-execution-error-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.txt file for more details. If that file contains error code 'rpc_s_connection_closed' then please retry the precheck as it could not connect to verify whether weak algorithms (e.g. SHA-1) are in use on the vCenter.

Resolution

Within the VECS store the refresh function has fallen out of sync, a manual refresh is required on the vCenter appliance

1. Take a snapshot of the vCenter Appliance. Need to take the offline snapshot for all of ELM vCenter Server. See also KB 313886.

2. SSH using root to the vCenter.

3. Run the following command:

# /usr/lib/vmware-vmafd/bin/vecs-cli force-refresh

Proceed to run the precheck once more and the error should be cleared , post which the error was gone. and completed the upgrade.