VMware vSphere 5.1 to 5.5 upgrade errors related to SSL/SSO

Just wanted to run a few errors by you in case you get stuck in the places and can’t figure out how to decipher VMware’s nearly useless knowledgebase articles.  Okay so here goes; got a vCenter 5.1 install and bunch of ESXi hosts that need to make their way up to 5.5.

As of late November 2013, the current download of vCenter 5.5 setup is:


I grab that, mount the ISO as a drive and execute.  I get a happy pop-up screen that looks like this:



Okay great, that sounds nice, simple install is what I want.  I already checked out the pre-reqs that my vCenter server was running a compatible version of Windows.  Oh, one note there, the 5.5 release notes mention that you need at least Windows 2008 Service Pack 2, SP1 is not good enough.  Well if you’re like me and not a Windows expert, you may not realize that Windows 2008 Service Pack 1 and Windows 2008 Service Pack 2 are different and older versions than Windows 2008 R2 Service Pack 1.  My server was 2008 R2 SP1 and I wasted an hour trying to figure out why Windows Update was not prompting me to install Service Pack 2, not realizing that 2008 SP2 is older than 2008 R2 SP1 and there is no SP2 for 2008 R2 yet.  There’s even a Microsoft TechNet article on how certain CPU’s present incompatible features that can cause an SP1 machine to not display SP2 as an option so I wasted time chasing that non-issue down.

Okay so simple install kicks off, and what do you now, big ugly error immediately:

Warning 25000. Please verify that the SSL certificate for your vCenter Single Sign-On 5.1 SSL is not expired. If it did expire, please replace it with a valid certificate before upgrading to vCenter Single Sign-On 5.5.


I decided to verify as a precaution and hit https://localhost:7444 in my browser to check, since I knew I was using the default VMware Single Sign On port.  Apparently they self sign the SSO cert when you install vCenter 5.1 or newer, and give it a massive validity time, so mine isn’t slated to expire until 20 years from now.

I wasn’t satisfied with that though, so I, like many others probably will, wasted a whole bunch of time trying to figure out if this was really something to be worried about or not.  I happened across this wonderful VMware KB article:


My favorite part of the article is where it tells you there is no resolution currently available.  It does mention another article that gives no useful information, so I kept searching and ultimately found some other blogs that all had the same issue and were able to ignore it provided the cert was not actually expired, so that’s what I did.

Next up, another SSL-related error:

Error: 12019. There was an error fetching the SSL certificate for this upgrade.  This can happen if your vCenter Single Sign-On service is down.  Click Exit Setup to exit.  If you are sure that the existing SSL certificate is valid, click Continue.  However, if the certificate is not valid, upgrade will fail when Setup applies the certificate.


Well that one certainly doesn’t sound as safe to ignore as the last one.  If you choose to exit, it will pop up a happy log file full of cryptic information that, after enough internet searches, will probably lead you to believe one of two things;  your certificate name doesn’t match the SSO URL, or the certificate is just in the wrong format, PKCS12 vs Java Keystore file (JKS).  Going down the path for a solution to the latter will ultimately make you stumble across nightmare articles like these only to find that your cert is probably already in JKS format:

Since I knew the SSL was not expired and was in the correct format, and since my vCenter is a VM I had snap-shot right before starting this ordeal, I decided to just go for it and run the upgrade anyway.  Turns out it worked fine, so perhaps this is just another issue that has no resolution.  If you have an easy way to revert back, I’d just give it a try, but obviously can’t recommend you do that if recovering from a failed upgrade would be a lot more difficult.

Okay, so the VMware Single Sign On upgrade completes and says all is well and now it’s time to proceed with the rest of the upgrades.  Sounds good, click OK.  And…. nothing.  I’m staring at the blue home screen again with no activity.  I gave it several minutes, nothing changed.  Logged out and back in to kill anything that may have been backgrounded, start simple setup again, get this error:

vCenter Package components already installed.  Please install any remaining components by clicking on the respective links on the left


I ended up having to do the remaining three components under custom install, the desktop client and the update manager manually.  Wasn’t too difficult, no further errors, but wasn’t exactly ‘simple’.

Unfortunately I’m not done complaining yet.  When you install the vSphere client you’ll learn the next wonderful thing about 5.5 that you’re sure to love.  It reminds you before proceeding that your only reason for installing the desktop client is basically so you can use update manager because VMware has decided that all new features will only be accessible via the new web client, not the desktop client.  The desktop client will only get you the old 5.1 features and update manager.  Hmm, okay that sucks since I’m used to the client I’ve been using for years now, but not a huge deal right?  Well wait until you get done and fire that puppy up.  Not only is the interface horrible about wasting space, but it REQUIRES Adobe Flash.  Yes, that Adobe Flash, from the company that just learned hackers have been in their network stealing their source code and customer data for who knows how long.  Yes, the same Adobe whose software gets hacked and has security issues all the time.  Yes, the one Steve Jobs blocked from iPhones because it eats up the cpu and battery.  At the company I was working at on this project, they had stripped Flash from the corporate network for security reasons; kind of makes it hard to work on your VMware servers now….

Okay, now about that interface.  For who knows what reason, they’ve shifted it to a three column format.  It is really horrible because you’ve got your normal host and vm list along the left panel when you’re in that screen, but most of the names are cut off in my case since the servers have names that are longer than ten characters.  The middle panel, thanks to the third column, has most of the host data cut off, and the performance monitoring screen now is a long single column of charts regardless of width.  The right panel is where they stuck the previous Tasks and Alarms windows, only thanks to all the other wasted space, your tasks and alarms are also going to be cut off.  You can resize the three columns but unless you’ve on an ultra-wide screen, you’re never going to get everything on one screen so it will be a constant waste of time shrinking/expanding or resizing windows.  So far I hate it.

One Reply to “VMware vSphere 5.1 to 5.5 upgrade errors related to SSL/SSO”

Leave a Reply

Your email address will not be published. Required fields are marked *