Here is a problem that I came up against when trying to use Update Manager on my newly installed vCenter Server Appliance (VCSA). The same ‘fix’ would apply to those trying to perform an update of the VCSA/PSC itself.

If you get the notification below when trying to use Update Manager and you see Connectivity status failing – try the procedure below

First click on Download Settings in Update Manager / Manage and enter a proxy address if required. (See my previous post on setting the https proxy). This is common for corporate networks where you probably do not have direct access out to the internet.

Try Update Manager again. If this fails we need to see a little more information on what is going wrong. For this we can log into the appliance and in bash type in the following

Wget https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml 1 Wget https : / / hostupdate .vmware .com / software / VUM / PRODUCTION / main / vmw - depot - index .xml

With this we are effectively trying to download that URL from the command line. If there are any issues, we will be able to see them and get any errors if there are any. If you see a result such as the one below where the certificate its referring to is not from VMware but one that looks local from your proxy server, you may well have SSL Interception enabled at your corporate proxy server.



In this instance we can get around the issue by putting in an SSL Interception exception in at the proxy (ie. don’t intercept this URL) , or the better solution would be to get the appliance to trust the certificate presented by the proxy. You can achieve this by importing in the relevant certificates needed to trust the presented certificate, for me that was the Root and Issuing certificates. This is how that was done on the VCSA appliance:

First list the available stores

root@sp-myhost [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli store list MACHINE_SSL_CERT TRUSTED_ROOTS TRUSTED_ROOT_CRLS machine vsphere-webclient vpxd vpxd-extension SMS 1 2 3 4 5 6 7 8 9 root @ sp - myhost [ ~ ] # /usr/lib/vmware-vmafd/bin/vecs-cli store list MACHINE_SSL_CERT TRUSTED_ROOTS TRUSTED_ROOT_CRLS machine vsphere - webclient vpxd vpxd - extension SMS

Show number of entries in a particular store, eg TRUSTED_ROOTS, which is where we will want to import out certificates.

root@sp-myhost [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS | grep Number Number of entries in store : 4 1 2 root @ sp - myhost [ ~ ] # /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS | grep Number Number of entries in store : 4

Add entry to TRUSTED_ROOTS. (Use WinSCP or equivalent to copy your certificates to the appliance, in the example below I have copied to /certs)

root@sp-myhost [ ~ ]# /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --chain --cert /cert/Cert_RootIssuing_Chain.cer Enter password for administrator@vsphere.local: Certificate pubished successfully 1 2 3 root @ sp - myhost [ ~ ] # /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --chain --cert /cert/Cert_RootIssuing_Chain.cer Enter password for administrator @ vsphere .local : Certificate pubished successfully

New number of entries in TRUSTED_ROOTS

root@sp-myhost [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS | grep Number Number of entries in store : 6 1 2 root @ sp - myhost [ ~ ] # /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS | grep Number Number of entries in store : 6

Notice now that the number of certificates has increased to 6. Retry the wget command you should find that it completes successfully and Update Manager is able to succefully connect!

Useful Links