"vmware-jmemtool.msi failed with 0x80096005" while upgrading vCenter Server 6.x
search cancel

"vmware-jmemtool.msi failed with 0x80096005" while upgrading vCenter Server 6.x

book

Article ID: 303161

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
  • Update of vCenter to 6.x fails reporting vmware-jmemtool.msi is not digitally signed
  • When tried to upgrade vCenter to 6.x it fails with the below message,
2017-04-21 12:22:44.045+02:00| vcsInstUtil-5318198| E: PitCA_IsFileSigned: The digital signature on file D:\vCenter-Server\Packages\vmware-jmemtool.msi failed with 0x80096005 0x80096005
2017-04-21 12:22:44.045+02:00| vcsInstUtil-5318198| E: LoadPackageList: MSI "D:\vCenter-Server\Packages\vmware-jmemtool.msi" failed signature validation: 0x80096005
2017-04-21 12:22:44.046+02:00| vcsInstUtil-5318198| I: PitCA_MessageBox: Displaying message: "A file that is required cannot be installed because the cabinet file D:\vCenter-Server\Packages\vmware-jmemtool.msi is not digitally signed. This may indicate that the cabinet file is corrupt."
2017-04-21 12:23:41.761+02:00| vcsInstUtil-5318198| E: LaunchPkgMgr: Failed to load packages
2017-04-21 12:23:41.762+02:00| vcsInstUtil-5318198| E: LaunchPkgMgr: Overall operation has failed
2017-04-21 12:23:41.846+02:00| vcsInstUtil-5318198| I: Entering function: VM_FinishInstallWithError
2017-04-21 12:23:41.846+02:00| vcsInstUtil-5318198| I: InstallStatus_SetStage: install stage: install-end / (NULL)
2017-04-21 12:23:41.858+02:00| vcsInstUtil-5318198| I: InstallStatus_GenerateFile: InstallStatusJson: {"installStage":{"main":[["preinstall-check",1492769756],["install-start",1492770076],["verify-packages",1492770076],["install-end",1492770221]]},"installTime":1492770076,"memoryLoad":26,"msiVersion":"5.0.7601.23593","preinstallReport":"C:\\Users\\DAG616~1\\AppData\\Local\\Temp\\vim-vcs-precheck-report.html","startTime":1492769756}

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

  • Update of vCenter from 6.0 U2 to U3b fails reporting vmware-jmemtool.msi is not digitally signed.
  • You see entries similar below in vminst.log:
<YYYY-MM-DD>T<time>.917+10:00| vcsInstUtil-5318198| E: PitCA_IsFileSigned: The digital signature on file Z:\vCenter-Server\Packages\vmware-jmemtool.msi failed with 0x80096005 0x80096005
<YYYY-MM-DD>T<time>+10:00| vcsInstUtil-5318198| E: LoadPackageList: MSI "Z:\vCenter-Server\Packages\vmware-jmemtool.msi" failed signature validation: 0x80096005
<YYYY-MM-DD>T<time>+10:00| vcsInstUtil-5318198| I: PitCA_MessageBox: Displaying message: "A file that is required cannot be installed because the cabinet file Z:\vCenter-Server\Packages\vmware-jmemtool.msi is not digitally signed. This may indicate that the cabinet file is corrupt."
<YYYY-MM-DD>T<time>+10:00| vcsInstUtil-5318198| E: LaunchPkgMgr: Failed to load packages
<YYYY-MM-DD>T<time>+10:00| vcsInstUtil-5318198| E: LaunchPkgMgr: failed to remove created directory: 0
<YYYY-MM-DD>T<time>+10:00| vcsInstUtil-5318198| E: LaunchPkgMgr: Overall operation has failed
<YYYY-MM-DD>T<time>+10:00| vcsInstUtil-5318198| I: Entering function: VM_FinishInstallWithError
<YYYY-MM-DD>T<time>+10:00| vcsInstUtil-5318198| I: InstallStatus_SetStage: install stage: install-end / (NULL) </time></time></time></time></time></time></time></time>

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

  • MD5 checksum and value matches.
  • Check and confirm if we have any permissions issue for "NT SERVICE\cryptsvc" towards register path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot and cryptsvc has got Full control.


    Cause

    The issue is caused due to:
    • Signing: remove starfieldtech and SHA1 GlobalSign from windows timestamp servers.
    • Starfieldtech is not included as a trusted CA in some versions of windows.
    • Globalsign's CA cert has expired in some versions of windows.

    Resolution

    To resolve the issue:
     
    1. Add the GlobalSignRootCA.cer and Starfield CA cert to the following path at the vCenter as this would be the quickest fix:

      local Computers -> Trusted Root Certificate Authorities -> Certificates
       
    2. There is a setting in Local/Group Policy "Turn off Automatic Root Certificate Update" (Start -> Run -> gpedit.msc : Local Computer Policy/Administrative Templates/System/Internet Communication Management/Internet Communication Settings), which if enabled will not allow the system to automatically download the Root CA certificate. If permissible, disabling this setting will enable the installer to download the required certificates and verify the MSI package.
       
      1. If the system is on a closed network, the certificates can be extracted from the MSI and imported into a local certificate trust store:
         
        • Go to X:\vCenter-Server\Packages\, where X is the drive letter where the installation ISO was mounted.
        • Right-click on the MSI package mentioned in the error message and select Properties.
        • Select the Digital Signatures tab.
        • In the Signature list section, select the entry and click the Details button.
          In the Signer information section, click the View Certificate button. In the Certificate window, click the Certification Path tab, and select the certificate at the top of the signing chain. Verify that the Certificate status reads "This certificate is OK". If this is not the supplied status, you will need to export this certificate and import it into a local certificate trust store.
        • In the Countersignatures section, select the entry (if applicable), and click the Details button.
          In the Signer information section, click the View Certificate button. In the Certificate window, click the Certification Path tab, and select the certificate at the top of the signing chain. Verify that the Certificate status reads "This certificate is OK". If this is not the supplied status, you will need to export this certificate and import it into a local certificate trust store.
           
      2. To save a certificate and import it into the local Trusted Root Certification Authorities store:
        When viewing the Certificate details, if there is a button labelled Install Certificate... on the General tab:
         
        • Click the button Install Certificate...
        • For Store Location, select Local Machine.
        • Select Place all certificates in the following store, and click the Browse... button.
        • Select the Trusted Root Certification Authorities or Third-Party Root Certification Authorities, depending on your environment guidelines, and click OK.
        • Click Next.
        • Click Finish.
           
      3. When viewing the Certificate details, if there is not a button labelled Install Certificate... on the General tab:
         
        • On the Details tab, click the Copy to File... button to start the Certificate Export Wizard.
        • Click Next.
        • Select Base-64 encoded X.509 (.CER), and click Next.
        • Click Browse... to specify where to save the certificate, then click Next.
        • Click Finish to export the certificate.
        • Open the certificate you just saved, and there should now be a button labelled Install Certificate... on the General tab. Install the certificate per the instructions above in option A.


    Additional Information

    vCenter から 6.x へのアップデートが失敗し、vmware-jmemtool.msi がデジタル署名されていないことが報告される

    Powered by Wolken Software