VMware Cloud Director (formerly VMware vCloud Director for Service Providers) introduces new security measures which cannot be bypassed anymore. In previous versions of VMware Cloud Director it was possible to automatically trust all certificates for LDAP connections with SSL enabled automatically. This is not possible anymore and can cause your upgrade to fail.
VMware provides more information about this in its Knowledge Base Article Upgrading to Cloud Director 10.3 can fail for some LDAP SSL Configurations at Provider and/or Tenant levels (85199) (vmware.com)
«If there are ‹1› or more Organizations listed then the Cloud Director instance will have to be reverted to its pre-upgrade state and Cloud Director’s services started.»
The installer, however, doesn’t let you correct the configuration once started so it is key to adjust the setting before upgrading to avoid unnecessary prolongation of your maintenance to get to Cloud Director 10.3.
Although VMware provides the steps to update the database for LDAP providers with SSL disabled which can have this setting set to accept as well (it is highly recommended to use SSL for your LDAP connection) this is not the case for the LDAP providers set to use SSL. The KB only shows how to identify which organizations require an adjustment in the Postgres Database but forces you to revert to your snapshots and database backup once done.
Disable Accept all certificates
To set Accept all certificates to disabled execute the following steps:
- navigate to the organization in question and open Administration – Identity Providers – LDAP – Custom LDAP and click Edit.
- Set Accept all certificates to disabled and click on save
- Trust the presented certificate
- repeat for all other organizations if required
«If ‹System› is listed in the ’name› column then the System Administrators must verify that Accept All certificates is set to false (disabled)»
Apart from setting all Organizations to the desired configuration it is key to do so for the System itself too. Otherwise you will once again have to start over. Repeat the same steps as explained in the previous section but do this in the Provider section.