Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Upgrading to vCenter Single Sign-On 5.5 fails when the SSL certificate is in the PKCS12 format and reports the error: vCenter Single Sign-On Setup Wizard ended prematurely because of an error (2061404)

Symptoms

  • Cannot upgrade from VMware vCenter Single Sign-On (SSO) 5.1 to 5.5.
  • Upgrading from SSO 5.1 to 5.5 fails after you accept the End User Licensing Agreement.
  • The SSO installer fails and rolls back before you choose an SSO deployment method.
  • Certificate Authority (CA) signed certificates were implemented in your vSphere 5.1 environment.
  • You see the error:

    vCenter Single Sign-On Setup Wizard ended prematurely because of an error

  • In the vim-sso-msi.log file, located at %TEMP%, you see entries similar to:
DEBUG: Error 2863: The control WarnNotDNSResolved on dialog MachineStatusDlg needs the icon Exclaim.ico in size 16x16, but that size is not available. Loading the first available size
The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2863. The arguments are: MachineStatusDlg, WarnNotDNSResolved, Exclaim.ico

Action 13:12:02: MachineStatusDlg. Dialog created
Action 13:12:04: UpgradeDoExportDlg. Dialog created
MSI (c) (24:54) [13:12:06:564]: Doing action: ExtractKeystoreInfo
Action 13:12:06: ExtractKeystoreInfo.
Action start 13:12:06: ExtractKeystoreInfo.
Action ended 13:12:06: ExtractKeystoreInfo. Return value 3.
DEBUG: Error 2896: Executing action ExtractKeystoreInfo failed.
The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2896. The arguments are: ExtractKeystoreInfo, ,
Action ended 13:12:06: SSOWelcomeDlg. Return value 3.
MSI (c) (24:84) [13:12:06:592]: Doing action: FatalError
Action 13:12:06: FatalError.
Action start 13:12:06: FatalError.
Action 13:12:06: FatalError. Dialog created
MSI (c) (24:54) [13:12:15:775]: Doing action: ShowMsiLog
Action 13:12:15: ShowMsiLog.
Action start 13:12:15: ShowMsiLog.
MSI (c) (24:78) [13:12:15:868]: Invoking remote custom action. DLL: C:\Users\SA-VCE~1\AppData\Local\Temp\MSIAA46.tmp, Entrypoint: WixShellExec
MSI (c) (24:EC) [13:12:15:871]: Cloaking enabled.
MSI (c) (24:EC) [13:12:15:871]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (24:EC) [13:12:15:873]: Connected to service for CA interface.
Action ended 13:12:16: ShowMsiLog. Return value 1.
Action ended 13:12:16: FatalError. Return value 2. 

...

DEBUG: Error 2896: Executing action ExtractKeystoreInfo failed.
The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2896. The arguments are: ExtractKeystoreInfo,

Action ended 12:59:08: SSOWelcomeDlg. Return value 3
MSI (c) (F4: 38) [12:59:08:966]: Doing action: FatalError
Action 12:59:08: FatalError.
Action start 12:59:08: FatalError.
Action 12:59:08: FatalError. dialogue created
MSI (c) (F4: 00) [13:02:04:206]: Doing action: ShowMsiLog
Action 13:02:04: ShowMsiLog.
Action start 13:02:04: ShowMsiLog.

Cause

This issue occurs if the SSL certificate for VMware vCenter Single Sign-On 5.1 is configured in a PKCS12 (*.pfx) format rather than JKS format.

Resolution

This issue is resolved in VMware vCenter Server 5.5.0b, available at VMware Downloads. For more information, see the vCenter Server 5.5.0b Release Notes.  

To work around this issue when you do not want to upgrade, convert the SSL certificate for vCenter Single Sign-On 5.1 to JKS format before performing the upgrade. For more information, see: 
After converting the SSL certificate, ensure that the server.xml (located at: C:\Program Files\VMware\Infrastructure\SSOServer\conf\) is pointed to JKS.
  1. On the vCenter Single Sign-On system, open the Server.xml file using a text editor.
  2. Locate the two keystoreType entries.

    For example, the entries appear similar to:

    <Connector SSLEnabled="true" clientAuth="true" connectionTimeout="20000" executor="castleThreadPool" keyAlias="rui" keystoreFile="C:\ProgramData\VMware\SSOCERTS\rui.pfx" keystorePass="####" keystoreType="PKCS12" port="7445"protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslProtocol="TLS" truststoreFile="C:\ProgramData\VMware\SSOCERTS\rui.pfx" truststorePass="####" truststoreType="PKCS12"/>
    <Connector SSLEnabled="true" clientAuth="false" connectionTimeout="20000" executor="castleThreadPool" keyAlias="rui" keystoreFile="C:\ProgramData\VMware\SSOCERTS\rui.pfx" keystorePass="####" keystoreType="PKCS12" port="7444"protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslProtocol="TLS" truststoreFile="C:\ProgramData\VMware\SSOCERTS\rui.pfx" truststorePass="####" truststoreType="PKCS12"/>

  3. Change the keystoreType entries to "JKS".
For example:

<Connector SSLEnabled="true" clientAuth="true" connectionTimeout="20000" executor="castleThreadPool" keyAlias="rui" keystoreFile="C:\ProgramData\VMware\SSOCERTS\rui.pfx" keystorePass="####" keystoreType="JKS" port="7445"protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslProtocol="TLS" truststoreFile="C:\ProgramData\VMware\SSOCERTS\rui.pfx" truststorePass="####" truststoreType="PKCS12"/><Connector SSLEnabled="true" clientAuth="false" connectionTimeout="20000" executor="castleThreadPool" keyAlias="rui" keystoreFile="C:\ProgramData\VMware\SSOCERTS\rui.pfx" keystorePass="####" keystoreType="JKS" port="7444"protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslProtocol="TLS" truststoreFile="C:\ProgramData\VMware\SSOCERTS\rui.pfx" truststorePass="####" truststoreType="PKCS12"/>
                1. Save and close the server.xml file.
                2. Restart the vCenter Single Sign-On Service. For more information, see Stopping, starting, or restarting vCenter services (1003895).
                3. Start the installation of vCenter Single Sign-On 5.5.

                See Also

                Request a Product Feature

                To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

                Feedback

                • 6 Ratings

                Did this article help you?
                This article resolved my issue.
                This article did not resolve my issue.
                This article helped but additional information was required to resolve my issue.
                What can we do to improve this information? (4000 or fewer characters)
                • 6 Ratings
                Actions
                KB: