"Sync Update" action from Life Cycle Manager fails with "A depot is inaccessible or has invalid contents. "
search cancel

"Sync Update" action from Life Cycle Manager fails with "A depot is inaccessible or has invalid contents. "

book

Article ID: 380501

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Sync update task fails at 10%. 
Full error reads "A general system error occurred: A depot is inaccessible or has invalid contents. Make sure an official depot is used and verify the connectivity to the depot"

Checking the /var/log/vmware/vmware-updatemgr/vum-server/vmware-vum-server.log show errors related to certificate validation

2024-10-24T06:17:39.295Z warning vmware-vum-server[2222127] [Originator@6876 sub=VumVapi::Lib::Utils] [EmbeddedPyServiceProvider 472] Connecting to DOWNLOAD_SOURCE/software/VUM/PRODUCTION/addon-main/vmw-depot-index.xml failed, err: curl_easy_perform() failed: cURL Error: SSL peer certificate or SSH remote key was not OK, SSL certificate problem: unable to get local issuer certificate

Environment

VMware vCenter Server 8.x

vCenter Server is configured with a proxy which has SSL Inspection enabled

Cause

When SSL inspection is enabled, Proxy uses two connection for each request. 

  • One between requester and proxy and the other between proxy and the actual https target.
  • Requester on the connection to the proxy always sees the certificate from the proxy server instead of actual https target.
  • Generally the proxy server certificates are either self signed or local CA signed.
  • Update Manager/Life Cycle Manager components (curl, python) cannot validate this certificate

Resolution

Configure the Proxy to disable SSL Inspection for the download sources used by Life Cycle Manager. Please see the respective documentation for the proxy on configuration details.

Additional Information

You can use wget command on the vCenter Server Appliance shell to verify if the certificate verifiable. 
Output:

wget https://DOWNLOAD_SOURCE/software/VUM/PRODUCTION/addon-main/vmw-depot-index.xml
--2024-10-23 08:17:00-- https://DOWNLOAD_SOURCE/software/VUM/PRODUCTION/addon-main/vmw-depot-index.xml
Connecting to 192.168.246.9:8080... connected.
ERROR: cannot verify hostupdate.vmware.com's certificate, issued by ‘CN=locaCA,DC=LocalDomain,DC=DOMAIN’:
Unable to locally verify the issuer's authority.

It is expected that the certificate for the download sources are issued by a trusted root CA and  publicly verifiable.

Note: An example of DOWNLOAD_SOURCE is hostdupdate.vmware.com