VCSA Upgrade & Root Password Expiration

Last week VMware have released vSphere 6.5 Update 2 which contains bug fixes as well as new features. One of these new features is the use of Linked Mode between vCenter Servers with Embedded Platform Services Controllers. In previous versions Linked Mode was only possible with external Platform Services Controllers. This new features has been named ‘Embedded Linked Mode’ and more information about this can be found here.

As I wanted to check out this new feature, it was time to upgrade my lab environment which is currently running vSphere 6.5 Update 1. After checking the interoperability matrix to make sure all solutions deployed in the lab environment (NSX, vROPS, vRLI, and vRA) are compatible, it was time to start the upgrade of the vCenter Server first.

I used the Embedded Host Client to connect the ISO containing the update to the VCSA VM and started the upgrade process from the appliance management interface. This resulted in the following error.


After rebooting the VCSA and checking the logging and not finding anything helpful, I assumed it was caused be an internal error. This particular VCSA has been around for a decent amount of time now and has been upgraded several times which could be the cause of the problem.

After this unsuccessful first upgrade try, it was time to read the release notes of the patch. The release notes of the patch include the upgrade steps which need to be performed from the appliance shell. With the second attempt of the upgrade, the commands from the release notes were used but again with no success.


Once again I found myself checking the logging, but this time I found the cause of the problem. By default, the root account has a password expiration policy set to 90 days. As this VCSA has been deployed a bit longer ago and I didn’t change the policy, the root password has been expired causing the upgrade to fail.


Luckily the root password expiration policy can be changed for the VCSA appliance management interface. When logging on the management interface to change the expiration policy I noticed the expiration date was set way back in the past to ‘Wednesday April 1 1970’. Trying to change the expiration policy resulted in the following error.


As it was not possible to change the password expiration policy from the management interface, it was time to use the following KB article to reset the root password on the VCSA. Although not officially supported, it is also possible to use the ‘passwd’ command from the shell  if you are able to logon to the VCSA. Even with a expired password I was able to logon to the VCSA with SSH and change the password.


After changing the password and starting the upgrade, the entire upgrade process completed successfully!


As I remember correctly, the installer used to check the password expiration and give a more user friendly error during the upgrade process. I do not know if this has been removed or if I’m dreaming this was ever the case.

TLDR; Don’t forget to change or at least check the root password expiration policy before attempting to upgrade the VCSA to a newer version.

2 thoughts on “VCSA Upgrade & Root Password Expiration

Add yours

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at

Up ↑

%d bloggers like this: