Upgrade Pre-check states "Source ESX Agent Manager Configuration contains URLs that are not trusted by the System!"
search cancel

Upgrade Pre-check states "Source ESX Agent Manager Configuration contains URLs that are not trusted by the System!"

book

Article ID: 313026

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
  • During the Pre-check phase of vCenter Server upgrade or patching, any of following errors are observed in the UI :
Pre-check error while upgrading vCenter Server to 8.0 U2:
"Source ESX Agent Manager Configuration contains URLs that are not trusted by the System!"
"Verify following URLs and their respective statuses and follow KB 93526.
<LIST_OF_URLs>"


pre_check_image.png

Pre-check error while upgrading vCenter Server to 8.0 U2a:
"Source ESX Agent Manager Configuration contains URLs that are not trusted by the System!"
"Please refer to https://kb.vmware.com/s/article/93526 to trust the URLs.
<LIST_OF_URLs>"

untrusted-urls-67-lin.png
Pre-check error while patching vCenter Server to 8.0 U2a:
b2b-ui-80-untrusted-urls.png

Upgrade scenario:

  • In the /storage/log/vmware/upgrade/CollectRequirements_com.vmware.eam_<DATE>.log file you see:
2023-10-16T10:07:24.375Z INFO eam.lib.eam-upgrade-prechecks Verifying ('IP/FQDN'8080).
2023-10-16T10:07:24.906Z WARNING eam.lib.eam-upgrade-prechecks The ('IP/FQDN'8080) is not trusted.
Traceback (most recent call last):
  File "/tmp/vmware-upgrade-temp-dir9Hsu3kuBng/tmpDa2KRuY8Zc/payload/component-scripts/eam/lib/trust-verifier.py", line 287, in _verifyServer
    do_handshake_on_connect=True
  File "/usr/lib/python3.5/ssl.py", line 385, in wrap_socket
    _context=self)
  File "/usr/lib/python3.5/ssl.py", line 760, in __init__
    self.do_handshake()
  File "/usr/lib/python3.5/ssl.py", line 996, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib/python3.5/ssl.py", line 641, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:719)
...
2023-10-16T10:07:25.477Z INFO extensions The component script returned '{'srcPorts': [], 'installArguments': {}, 'coreRequirement': {'importEstimationTime': 0, 'requiredSrcDiskSpace': 0.0, 'requiredDstDiskSpace': {}, 'exportEstimationTime': 0}, 'dstPortSpecs': [], 'userOptionSpecs': [], 'extraArguments': {}, 'requirementMismatchSpecs': [{'problemId': None, 'resolution': Please refer to https://kb.vmware.com/s/article/93526 to trust the URLs: https://<IP/FQDN>:8080/vm/vm.ovf., 'severity': 'ERROR', 'text': Source ESX Agent Manager Configuration contains URLs that are not trusted by the System!, 'description': None}]}'

 

Patching Scenario:

  • In the /storage/log/vmware/applmgmt/PatchRunner.log file:
2023-10-13T20:15:22.385Z eam:CollectRequirements INFO eam.lib.eam-upgrade-prechecks Verifying ('10.93.151.207'8080).
2023-10-13T20:15:22.872Z eam:CollectRequirements WARNING eam.lib.eam-upgrade-prechecks The ('IP/FQDN'8080) is not trusted.
Traceback (most recent call last):
  File "/storage/core/software-update/updates/8.0.2.00100/scripts/patches/payload/components-script/eam/lib/trust-verifier.py", line 284, in _verifyServer
    context.wrap_socket(
  File "/usr/lib/python3.10/ssl.py", line 512, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.10/ssl.py", line 1070, in _create
    self.do_handshake()
  File "/usr/lib/python3.10/ssl.py", line 1341, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:997)
 
 2023-10-13T20:15:45.482Z INFO vmware_b2b.patching.phases.discoverer Discovery completed. Result: [
 ...    
        "name""eam",
        "patchScript""/storage/core/software-update/updates/8.0.2.00100/scripts/patches/payload/components-script/eam",
        "requirementsResult": {
            "mismatches": [
                {
                    "description"null,
                    "problemId"null,
                    "relatedUserDataId"null,
                    "resolution": {
                        "args": [
                            "https://<IP/FQDN>:8080/vm/vm.ovf"
                        ],
                        "id""eam.action.ensure.url.trusted",
                        "localized""Please refer to https://kb.vmware.com/s/article/93526 to trust the URLs: https://<IP/FQDN>:8080/vm/vm.ovf.",
                        "translatable""Please refer to https://kb.vmware.com/s/article/93526 to trust the URLs: %(0)s."
                    },
                    "severity""error",
                    "text": {
                        "id""eam.url.not.trusted",
                        "localized""Source ESX Agent Manager Configuration contains URLs that are not trusted by the System!",
                        "translatable""Source ESX Agent Manager Configuration contains URLs that are not trusted by the System!"
                    }
            }
        }

 


Cause

In order to harden security, SSL trust pre-checks for the VIB/OVF URLs configured with ESX Agent Manager (EAM) are executed as one of the first steps during the VC upgrade.
  • The file server that hosts the OVF and/or VIB URLs of an EAM Agency uses an SSL certificate and any of the following is true:
    • There is an SSL certificate hostname mismatch, or
    • The SSL certificate is invalid, or
    • The SSL certificate is not trusted by the system. This can happen if the certificate verification is enabled on the system and any of the following is true:
      • The certificate is not signed by any of the root CA certificates of Photon OS or VECS TRUSTED_ROOTS.
      • The certificate is not configured explicitly to be trusted by the system using the attached script.

Resolution

Any of the following options can be used as a remediation of the problem. After execution of any of the options, the VC upgrade needs to be started again.

Option 1 (recommended): Configure a leaf SSL certificate that is to be trusted for a specific VIB or OVF URL

  1. Login to VC through SSH using root.
  2. Download eam-utility.py script from this KB on the VC file system (script_location).
  3. Run the below command (where the '#' represents the command line and does not need to be entered):
# python <script_location>/eam-utility.py install-cert <VIB/OVF URL>
  1. Retry the vCenter Upgrade.


NOTE:

  • The operation above can be reverted by running: eam-utility.py uninstall-cert <VIB/OVF URL>


Option 2: Disable the SSL certificate verification for a specific VIB or OVF URL

Note: Using this option makes VIB and OVF URL download insecure.

  1. Login to VC through SSH using root.
  2. Download eam-utility.py script from this KB on the VC file system (script_location).
  3. Run the below command (where the '#' represents the command line and does not need to be entered):
# python <script_location>/eam-utility.py disable-trust <VIB/OVF URL>
  1. Retry the vCenter Upgrade.


NOTE:

  • The operation above can be reverted by running: eam-utility.py enable-trust <VIB/OVF URL>


Option 3: Change the file server SSL certificate

If the SSL certificate is invalid:

  1. Replace the SSL certificate with a valid one.
  2. Retry the vCenter Upgrade.


Option 4: Add a trusted root CA certificate to VECS

If the SSL certificate is issued by a CA,

  1. Add the root CA certificate to VECS TRUSTED_ROOTS.
  2. Retry the vCenter Upgrade. 


Attachments

eam-utility get_app