Symptoms:
Attempting to download patch definitions in the vSphere Web Client or vSphere Client (Flash) fails with the following symptoms:
vSphere Web Client (HTML5):
vSphere Client (Flash):
vCenter (BASH) shell:
- Attempting to pull down the XML file with curl results in an error:
# curl https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
In
/var/log/vmware/vmware-updatemgr/vum-server/vmware-vum-server-log4cpp.log you find the following entries:
[2019-09-20 21:00:11:185 'httpDownload' 140052601693952 ERROR] [httpDownloadPosix, 649] curl_easy_perform() failed: cURL Error: Peer certificate cannot be authenticated with given CA certificates, SSL certificate problem: unable to get local issuer certificate
[2019-09-20 21:00:11:185 'DownloadMgr' 140052601693952 ERROR] [downloadMgr, 629] Executing download job {140052105550256} throws error: curl_easy_perform() failed: cURL Error: Peer certificate cannot be authenticated with given CA certificates, SSL certificate problem: unable to get local issuer certificate
When reading the certificate from https://hostupdate.vmware.com, you see it is not signed by a public Certificate Authority:
# echo | openssl s_client -connect hostupdate.vmware.com:443 2>/dev/null -showcerts | sed -n '/^-----BEGIN CERTIFICATE-----/,/^-----END CERTIFICATE-----/p' | openssl crl2pkcs7 -nocrl -certfile /dev/stdin | openssl pkcs7 -print_certs -noout
subject=/C=US/ST=California/L=Palo Alto/O=VMware, Inc./OU=IT Operations/CN=*.vmware.com
issuer=/C=US/O=acme/OU=Lab/CN=proxy.acme.com
subject=/C=US//O=acme/OU=Lab/CN=proxy.acme.com
issuer=/DC=com/DC=acme/DC=ad/CN=CA-INTERM1
subject=/DC=com/DC=acme/DC=ad/CN=CA-INTERM1
issuer=/CN=CA-ROOT