Upgrading LogInsight 4.0 -> 4.3 fails if TLSv1 is disabled!

Hi all – I know I promised to follow up with more LogInsight posts and I intend to follow through!  However, as a brief interruption to that blog series (available here), I wanted to let everyone know I’ve upgraded one of my environments from LogInsight 4.0.0-4624504 to 4.3.0-5084751 but not without issue.

You can refer to the VMware LogInsight 4.3 Documentation for instructions on performing the upgrade.  When I followed the procedure, however, I was faced with the following error:

There were really no details provided at all.  So, I connected to the node I was upgrading (a single node in this case) via SSH and looked at /var/log/loginsight/upgrade.log:

conwaylogs1:/var/log/loginsight # cat upgrade.log
2017-03-14 13:39:15,182 loginsight-upgrade INFO Certificate verified: VMware-vRealize-Log-Insight.cert: /C=US/ST=California/L=Palo Alto/O=VMware, Inc.
error 18 at 0 depth lookup:self signed certificate
OK
2017-03-14 13:39:38,114 loginsight-upgrade INFO Signature of the manifest validated: Verified OK
2017-03-14 13:39:38,877 loginsight-upgrade INFO Current version is 4.0.0-4624504 and upgrade version is 4.3.0-5084751. Version Check successful!
2017-03-14 13:39:38,878 loginsight-upgrade INFO Available Disk Space at /tmp: 13392916480
2017-03-14 13:39:38,878 loginsight-upgrade INFO Disk Space Check successful!
2017-03-14 13:39:38,878 loginsight-upgrade INFO Available Disk Space at /storage/core: 206482673664
2017-03-14 13:39:38,878 loginsight-upgrade INFO Disk Space Check successful!
2017-03-14 13:39:45,301 loginsight-upgrade INFO Checksum validation successful!
2017-03-14 13:39:45,322 loginsight-upgrade INFO Attempting to upgrade to version 4.3.0-5084751
2017-03-14 13:50:01,727 loginsight-upgrade INFO Verified source version 4.0.0 >= 4.0.0.0
Running upgrade validation for v3+
Validation script regular output:
Failed to read pre-upgrade30ga-script-package.script
Restarting Log Insight
2017-03-14 13:50:01,727 loginsight-upgrade INFO Pre-upgrade validation was not OK
2017-03-14 13:50:01,727 loginsight-upgrade INFO <div style=’margin-bottom:5px’><b>Log Insight deployment did not pass pre-upgrade validation:</b></div> <div><urlopen error [Errno 1] _ssl.c:497: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol></div>
2017-03-14 13:50:01,727 loginsight-upgrade ERROR Upgrade pre-validation errors
Traceback (most recent call last):
File “/usr/lib/loginsight/application/sbin/loginsight-pak-upgrade.py”, line 508, in main
raise ValidationError(err.strip())
ValidationError: “<div style=’margin-bottom:5px’><b>Log Insight deployment did not pass pre-upgrade validation:</b></div> <div><urlopen error [Errno 1] _ssl.c:497: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol></div>”
2017-03-14 13:50:01,728 loginsight-upgrade INFO Done!

Again, there’s really nothing obvious in the output.  However, the text in red suggested something was up with an unknown protocol in regards to SSL.  Hrm.  Well, actually, as is best-practice, I disabled TLSv1 on all of my environments.  So, as a long shot I thought I would re-enabled TLSv1 in case there was some sort of validation being done.  You can read this KB on how to disabled TLSv1 (and thus re-enable it if needed).

It turns out that after re-enabling TLSv1 on the LogInsight 4.0 appliance, my upgrade went through successfully!

And finally, as confirmation, if you look at upgrade.log again you’ll see:

[…]
vmware-tools-vsock-common-10.0.9-5.sles11.x86_64 has already been installed.
vmware-tools-vsock-kmp-default-9.8.1.0_3.0.76_0.11-5.sles11.x86_64 has already been installed.
vmware-tools-vsock-kmp-trace-9.8.1.0_3.0.76_0.11-5.sles11.x86_64 has already been installed.
Running post-install script
Restarting Log Insight
2017-03-14 14:22:42,280 loginsight-upgrade INFO Successfully upgraded to version 4.3.0-5084751!
2017-03-14 14:22:42,280 loginsight-upgrade INFO Upgrade took 1 minutes
2017-03-14 14:22:42,280 loginsight-upgrade INFO Done!

 

Just a heads up to those who may be upgrading their appliances!  Disabling TLSv1 is definitely a good idea, but in this case it bites you in the upgrade process!  Good luck and feel free to let me know if you have similar or opposite experiences!

Author: Jon

Share This Post On

4 Comments

    • Do you know if it is by design? Not a huge ordeal, but I have a number of environments that I’ll need to make the change on.

      Post a Reply
      • It’s not by design, will be addressed by a future release

        Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Share This
%d bloggers like this: