Adding a new online depot to vCenter Server 7.0 U2C and above vCenter Life Cycle Manager fails due to "self signed certificate" error
search cancel

Adding a new online depot to vCenter Server 7.0 U2C and above vCenter Life Cycle Manager fails due to "self signed certificate" error

book

Article ID: 313814

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

  • Adding a new online depot to vCenter Life Cycle Manager from UI or via REST API, you see an error message similar to :
"Online Depot URL '<your-online-depot-URL>' is not valid or cannot be reached now."
  • This issue is impacting managing ESXi Hosts through either vLCM Baselines or vLCM Images.
  • You may see the below entries similar to the below in vmware-vum-server.log file 
Note: You can find the vmware-vum-server.log in /var/log/vmware/vmware-updatemgr/vum-server/vmware-vum-server.log

YYYY-MM-DDTHH:MM:SSZ info vmware-vum-server[34922] [Originator@6876 sub=DepotsUtil] [DepotsUtil 1121] Testing online URL: <your-online-depot-URL>
...
YYYY-MM-DDTHH:MM:SSZ info vmware-vum-server[34856] [Originator@6876 sub=DownloadMgr] [downloadMgr 668] Executing download job {140679180444672}, url=<your-online-depot-URL>
...
YYYY-MM-DDTHH:MM:SSZ verbose vmware-vum-server[34856] [Originator@6876 sub=httpDownload] [httpDownloadPosix 182] * Connected to <your-online-depot-server-name> (<your-online-depot-server-IP>) port 443 (#19)
YYYY-MM-DDTHH:MM:SSZ verbose vmware-vum-server[34856] [Originator@6876 sub=httpDownload] [httpDownloadPosix 182] * ALPN, offering http/1.1
YYYY-MM-DDTHH:MM:SSZ verbose vmware-vum-server[34856] [Originator@6876 sub=httpDownload] [httpDownloadPosix 182] * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
YYYY-MM-DDTHH:MM:SSZ verbose vmware-vum-server[34856] [Originator@6876 sub=httpDownload] [httpDownloadPosix 182] * successfully set certificate verify locations:
YYYY-MM-DDTHH:MM:SSZ verbose vmware-vum-server[34856] [Originator@6876 sub=httpDownload] [httpDownloadPosix 182] * CAfile: /etc/pki/tls/certs/ca-bundle.crt
YYYY-MM-DDTHH:MM:SSZ verbose vmware-vum-server[34856] [Originator@6876 sub=httpDownload] [httpDownloadPosix 182] * CApath: /etc/ssl/certs
YYYY-MM-DDTHH:MM:SSZ verbose vmware-vum-server[34856] [Originator@6876 sub=httpDownload] [httpDownloadPosix 182] * SSL certificate problem: self signed certificate
YYYY-MM-DDTHH:MM:SSZ verbose vmware-vum-server[34856] [Originator@6876 sub=httpDownload] [httpDownloadPosix 182] * Closing connection 19
YYYY-MM-DDTHH:MM:SSZ error vmware-vum-server[34856] [Originator@6876 sub=httpDownload] [httpDownloadPosix 685] curl_easy_perform() failed: cURL Error: SSL peer certificate or SSH remote key was not OK, SSL certificate problem: self signed certificate


Note: The preceding log excerpts are only examples. The date, time, and environmental variables may vary depending on your environment.

Environment

VMware vCenter Server 7.0.x

Cause


The configured online depot server used a self-signed certificate and so vLCM cannot fetch information.

Resolution

Online depot server needs to be configured to have signed certificate signed by root CA or provide a chain of certificates that are signed root CA.

Workaround:
As a workaround, install-cert command can be run on vCenter to temporarily add the Online Server Depot Self Signed Certificate to the SSL Certificate folder on vCenter

WARNING: You can only apply the workaround if you are accepting the Online Depot Self Signed Certificate to be installed on the vCenter.

To add the the self signed certificate to the vCenter Certificates Store, please follow the below steps: 
  1. Login to VCSA through SSH using root.
  2. Run the below command:
/usr/lib/vmware-updatemgr/bin/updatemgr-utility.py install-cert <your-online-depot-server-name-or-IP>

To remove the the self signed certificate to the vCenter Certificates Store, please follow the below steps: 
  1. Login to VCSA through SSH using root.
  2. Run the below command:
/usr/lib/vmware-updatemgr/bin/updatemgr-utility.py uninstall-cert <your-online-depot-server-name-or-IP>







Additional Information

For more information about vCenter Build numbers, see Build numbers and versions of VMware vCenter Server .