When custom repository is set up with Authentication and Self-signed certificates that are not trusted by VCSA, patcher module does not reach the repository and fails to download the files with the following error:
"Failed to load the repository manifest data for the configured upgrade".
This works in the following scenarios:
When the customer is trying online mode.
When the customer has a custom repository with a trusted SSL certificate.
When the customer has no Authentication configured with the custom repository.
Sl No | SSL Certificate (Trusted/ Non-Trusted) |
Authentication (Yes/No) |
Will Work | Workaround |
---|---|---|---|---|
1 |
Trusted |
No |
Yes |
NA |
2 |
Trusted |
Yes |
No |
Update Leaf service using API (Workaround-1) |
3 |
Non-Trusted |
No |
No |
Adding certs to trusted roots (Workaround-2) |
4 |
Non-Trusted |
Yes |
No |
Update Leaf service using API (Workaround-1 +2) |
Leaf service update: The leaf service update feature is available using the public APIs, but the UI is not available for this.
Customers can use this API to update the vLCM service which will have the fix for this issue. However, this would require at least a KB article to articulate the steps clearly and easily.
API
API is to list the update
curl --location --request GET 'https://<VCENTER_FQDN>:5480/rest/appliance/update/pending?source_type=LOCAL_AND_ONLINE&url=https://build-squid.eng.vmware.com/build/mts/release/bora-20400468/publish/exports/Update_Repo' --header 'Authorization: Basic <Auth>'
API is to fetch the leaf service
curl --location --request GET 'https://<VCENTER_FQDN>:5480/rest/appliance/update/pending/8.0.0.20000/components' --header 'Authorization: Basic <Auth>'
API is to perform the vlcm update
curl --location --request POST 'https://<VCENTER_FQDN>:5480/rest/appliance/update/pending/8.0.0.20000?action=stage-and-install' --header 'Authorization: Basic <Auth>' --header 'Content-Type: application/json' --data-raw '{"user_data": [ ], "component": "vlcm"}'
Note: <Auth> should be replaced with basic authorization token which can be obtained by using echo -n 'root:<PASSWORD>' | base64
When the SSL certificates have been untrusted, these need to be added to the VCSA trusted root. This will work by copying the repository certificate to VCSA and trusting this certificate in VCSA and Python's trusted store.
Follow below steps to add cert to trusted root:
SSH into the vCenter
Connect to the update repo using openssl s_client -connect <CustomUpdateRepoFQDN>:<port> 3. This will list the certificate example:
CONNECTED(00000003)
depth=0 C = IN, ST = KA, L = Bengaluru, O = VMware, OU = VsphereSolutions, CN = <>, emailAddress = <> verify error:num=18:self signed certificate verify return:1
depth=0 C = IN, ST = KA, L = Bengaluru, O = VMware, OU = VsphereSolutions, CN = <>, emailAddress = <> verify return:1
---
Certificate chain
0 s:/C=IN/ST=KA/L=Bengaluru/O=VMware/OU=VsphereSolutions/CN=<>/emailAddress=<>
i:/C=IN/ST=KA/L=Bengaluru/O=VMware/OU=VsphereSolutions/CN=<>/emailAddress=<>
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC/DCCAmWgAwIBAgIJAO7wGs2akToIMA0GCSqGSIb3DQEBCwUAMIGWMQswCQYD
VQQGEwJJTjELMAkGA1UECAwCS0ExEjAQBgNVBAcMCUJlbmdhbHVydTEPMA0GA1UE
CgwGVk13YXJlMRkwFwYDVQQLDBBWc3BoZXJlU29sdXRpb25zMRcwFQYDVQQDDA4x
MC4xNTguM5R96Hjli
-----END CERTIFICATE-----
Copy the certificate with
-------BEGIN CERTIFICATE-------- till --------END CERTIFICATE-------------
Paste the copied text at the end of the file /usr/lib/python3.7/site-packages/certifi/cacert.pem