Unable to import ISO files or patches from Update Manager via HTML5 client
search cancel

Unable to import ISO files or patches from Update Manager via HTML5 client

book

Article ID: 316532

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

  • While Importing ISO file from Update manager via HTML5 client, operation ends/stops without any specific error message.
  • Message similar to below in the log file /var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log
 [ERROR] tp-nio-127.0.0.1-5090-exec-7 com.vmware.vum.client.upload.FileUploadClient   Error while executing HTTP request javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)  

Environment

  • VMware vCenter Server 6.7.x
  • VMware vCenter Server 7.x
  • VMware vCenter Server 8.x

Cause

This issue occurs when the VUM SSL certificate is absent from the trusted roots keystore on the vCenter Server.

Resolution

1. Inspect the certificate from the VUM SSL URL https://<VUM SERVER>:9087/vum-fileupload/ in your browser. Replace port 9087 if a custom SSL port was configured.

2. Run this command to list the trusted roots certificates on the vCenter Server:
vecs-cli entry list --store TRUSTED_ROOTS --text

3. Verify the certificate from step 1 is absent in the output from step 2.
Note: You can use the Subject Key Identifier for comparison

4. Export the certificate from step 1 to a file and copy it to a temporary location in the vCenter Server.

5. Run this command to add the certificate to the trusted roots keystore on the vCenter Server:
vecs-cli entry create --store TRUSTED_ROOTS --alias <unique name> --cert <path to certificate file>

6. Remove the certificate file.

7. Run this command to verify that the trusted roots keystore on the vCenter Server now includes the certificate 
vecs-cli entry list --store TRUSTED_ROOTS --text

Additional Information

If this issue is seen when the Root CA is not part of the Machine SSL certificate chain add the Root CA to the chain.

Powered by Wolken Software