Pre-upgrade checklist

This topic details the items to check prior to upgrading N-able N-central Server. It is highly recommend you review the below requirements to prepare your N-central server and devices for a successful upgrade.

If upgrading from N-able N-central v2023.3 or earlier, you will need to upgrade to v2023.4 before upgrading to the most recent GA release. You will need to follow the appropriate upgrade path as detailed in Checklist for upgrading your N-able N-central Server to 2023.4 or 2022.7 HF1 and Upgrade path for legacy N-central versions

Check Hostname

Update your hostname to ensure it is a valid FQDN prior to attempting to upgrade the N-central server.

This field is required to have a valid FQDN entered in it to allow N-central to upgrade.

Previously an IP address was accepted, however using FQDN is much more robust.

Using a FQDN instead of an IP address means that, if you were to migrate your service to a server with a different IP address, you would be able to simply change the record in DNS rather than try and find everywhere that the IP address is used.

This is especially useful when you have many servers and services configured by multiple individuals.

Certificate Management

  1. Make sure that the certificates applied to the server are valid, and in date.
  2. Check that the (SSL and TLS) Certificate expiry dates are greater than 21 days in the future.

    3. The limit of expiry dates greater than 21 days is designed to prevent initial install or upgrade failure investigations, possible disaster recovery operations, server rebuilding or Root Cause analysis, etc. being hampered and worsened by certificates expiring during that period.

The server will perform the following checks:

  • The Server's FQDN Field is configured in Mail and Network Settings > Network Setup and matches at least one entry on the Certificate Subject Alternative Names list.
  • Confirm that the certificate is a valid x509 Certificate.
  • The Certificate Chain is valid back to a Trusted Root CA Certificate in the N-central server Operating System Trust Store.
    • If the Issuing CA URI is included in the TLS Certificate, N-central will always download the full Certificate Chain.
    • If the URI is not present, we will use the chain uploaded with the N-central TLS Certificate.
  • Verify the uploaded TLS Certificate matches the Private Key on the N-central server.
  • Confirm the certificate is not in the revocation lists (CRL and OCSP).

Agent and Probes

In order for the Agents and Probes to upgrade they need to be able to connect to the server without any certificate errors over https.

  1. Check to see if the Endpoints can connect to the N-central server.
  2. Check the Agent/Probe Communication Defaults to ensure that no IPs are in use, only use FQDN:
    1. From Administration > Defaults > Agent & Probe Settings > Communication Settings
    2. Edit all entries to ensure that only a valid FQDN that matches the N-central TLS Certificate's Subject Alternative Names field, and delete invalid entries as needed.
  3. If you are using a private CA please make sure the endpoints have the root CA as part of the trust store on the Operating system running the agent.
  4. Install the Certificate Check custom Monitoring Service, available from N-ableMe
  5. If the upgrade fails:
    1. Check the console screen for the conditions of failure.
    2. Make sure to review the email that is sent for error details, and follow the linked articles.

Appliance Upgrades

Set device upgrade settings to Never to allow you to stagger the upgrade deployment and pause in case any of the upgrades develops a problem.

  • Administration > Defaults > Agent & Probe Settings > Upgrades

To prevent orphaning devices by accident should the N-central upgrade detect Agents/Probes using Server Addresses not included in the N-central TLS Certificate’s Subject Alternative Names field, it will automatically set all Agents/Probe upgrade settings to Never.