The vCenter Server is unable to fetch certificates from dl.broadcom.com
Article ID: 397872
Updated On:
Products
Issue/Introduction
The vCenter Server is unable to fetch certificates from dl.broadcom.com when attempting to check for updates via VAMI or Lifecycle Manager (LCM).
NOTE: Toggling the proxy settings (enabling/disabling) has no impact on the issue.
Network connectivity from vCenter to dl.broadcom.com over port 443 is verified and working using Telnet and Netcat. Using openssl s_client -connect dl.broadcom.com:443 -showcerts on the vCenter confirms that the certificate can be successfully retrieved from the endpoint.
The /var/log/vmware/applmgmt/applmgmt.log contains the following errors:
[YYYY-MM-DDTHH:MM:SS] [3454]DEBUG:vmware.appliance.update.update_functions: runCommandAndCheckResult failed: " -- YYYY-MM-DDTmm: ss:ms -- https://dl.broadcom.com/###dl.broadcom.com ... IP, IP\nConnecting to dl. broadcom.com| IP|:443 ... connected. \nERROR: cannot verify dl. broadcom.com's certificate, issued by 'CN= ':\n Self-signed certificate encountered. \nTo connect to dl.broadcom.com insecurely, use ` -- no-check-certificate'. \n"
[YYYY-MM-DDTHH:MM:SS] [3454]ERROR:vmware.appliance.update.update_b2b:Got exception while trying discover at URL https://dl.broadcom.com/##########data=None, error_type='NOT_FOUND') 'Traceback (most recent call last):\n File "/usr/lib/applmgmt/update/py/vmware/appliance/update/update_b2b.pytempFolder) \n File "/usr/lib/applmgmt/update/py/vmware/appliance/update/update_functions.py", line 582, in wgetWrapper\nraise exception\nvmware.appliance.update.update_functions. LocalizableException: {\'id\': \'com.vmware.appliance.update.download_failed\', \'default_message\': \'Download failed\', \'args\': []}\n\nDuring handling of the above exception, another exception occurred: \n\nTraceback (most recent call last):\n File "/usr/lib/applmgmt/update/py/vmware/appliance/update/update_b2b.py", line 1764, in processURLUpdates\n_discoverUpdateAtUrl(url, \'latest\')\n File "/usr/lib/applmgmt/update/py/vmware/appliance/update/update_b2b.py", line 1689, in _discoverUpdateAtUrl\nvapiNotFound(messageInvalidUrl(\'\'))\nFile "/usr/lib/applmgmt/update/py/vmware/appliance/update/update_functions.py", line 167, in vapiNotFound\nErrorFactory.new_not_found(messages=messages) \ncom. vmware.vapi.std.errors_provider.NotFound: {messages : [{\'id\': \'com. vmware.appliance.update.invalid_url\', \'default_message\': \'Check the URL and try again. \', \'args\': [\'\']}], data : None, error_type : NOT_FOUND}\n'
######/PROD/COMP/VCENTER/vmw/8d167796-34d5-4899-be0a-6daade4005a3/7.0.3.02200/manifest/manifest-latest.xml\nResolving', line 1499, in _discoverUpdateAt\nrunCommandAndCheckResult\nversionFolder)\n File "/usr/lib/applmgmt/update/py/vmware/appliance/update/update_b2b.py", line 1505, in discoverUpdateAt\n
####/PROD/COMP/VCENTER/vmw/8d167796-34d5-4899-be0a-6daade4005a3/7.0.3.02200: NotFound(messages=[{'id': 'com.vmware. appliance.update.invalid_url', 'default_message': 'Check the URL and try again.', 'args': ['']}],
"Certificate error at target URL"))})\n File "/usr/lib/applmgmt/update/py/vmware/appliance/update/update_functions.py"
Certificate error is returned when attempting to wget the download URL from the vCenter, but it can be bypassed by running the same command with --no-check-certificates:
root@vcenter [ ~ ]# wget https://dl.broadcom.com/<TOKEN>/PROD/COMP/ESX_HOST/main/vmw-depot-index.xml
-- [YYYY-MM-DDTHH:MM:SS] -- https://dl.broadcom.com/<TOKEN>/PROD/COMP/ESX_HOST/main/vmw-depot-index.xml
Resolving dl.broadcom.com ... ###.###.###.###, ###.###.###.###, ####:####:## :: ##, ..
Connecting to dl.broadcom.com|###.###.###.###|:443 ... connected.
ERROR: cannot verify dl.broadcom.com's certificate, issued by 'CN=CUSTOMER_CA':
Unable to locally verify the issuer's authority.
To connect to dl.broadcom.com insecurely, use ` -- no-check-certificate'.
root@vcenter [ ~ ]# wget https://dl.broadcom.com/<TOKEN>/PROD/COMP/ESX_HOST/main/vmw-depot-index.xml -- no-check-certificate
-- [YYYY-MM-DDTHH:MM:SS] -- https://dl.broadcom.com/<TOKEN>/PROD/COMP/ESX_HOST/main/vmw-depot-index.xml
Resolving dl.broadcom.com ... ###.###.###.###, ###.###.###.###, ####:####:##: :##, ...
Connecting to dl.broadcom.com|###.###.###.###|:443 ... connected.
WARNING: cannot verify dl.broadcom.com's certificate, issued by 'CN=CUSTOMER_CA':
Unable to locally verify the issuer's authority.
HTTP request sent, awaiting response ... 200 OK
Length: 606 [text/xml]
Saving to: 'vmw-depot-index.xml'
vmw-depot-index.xml 100%[ ================================>] 606 --.-KB/s in 0s
[YYYY-MM-DDTHH:MM:SS] (804 MB/s) - 'vmw-depot-index.xml' saved [606/606]
Other descriptions of this issue:
Received the error URL is not correct with the correct token which was configured into the VAMI.
Environment
VMware vCenter Server 8.0.x
VMware vCenter Server 7.0.x
Cause
The problem is with the way the Network firewall handles the certificate request, a decryption problem
In SSL/TLS, a “certificate request” typically refers to the client receiving the server’s certificate during the TLS handshake, or to the server requesting a client certificate in mutual TLS (less common).
When the Firewall performs SSL/TLS inspection (aka TLS interception / MITM):
-
Intercepted Request Flow:
-
Client connects to
https://example.com -
Firewall intercepts this request
-
Firewall creates a new TLS connection to the destination server
-
It fetches the real server certificate
-
-
Decryption and Re-encryption:
-
Firewall decrypts the server’s response
-
Then it re-encrypts it with a custom certificate (often signed by a corporate CA trusted inside the organization)
-
Client sees this new certificate (not the real server’s)
-
-
Why Decryption Might Fail:
-
The client uses TLS with encrypted handshake extensions — making it harder for the FW to inspect
-
Certificate pinning in client blocks non-original certificates
-
Firewall has misconfigured SSL inspection rules
-
Firewall can't validate the original server’s cert chain correctly
-
The traffic is not decrypted successfully, and the client (IMHO) fails to continue
-
Resolution
This issue is not related to vSphere or vCenter. It appears to be caused by the firewall and should be investigated by your network or firewall team.
Workaround:
For VAMI: You can temporarily bypass certificate validation by unchecking the "Check certificate" option.
-
- Under Update Settings untick the box next to "Check Certificate (recommended)".
For LCM: Unfortunately, no workaround is available at this time.
Alternative Solution (for Isolation/Testing Only):
Note: This approach is intended for isolation and validation purposes only. It is not a recommended permanent solution. The recommended action is to coordinate with your firewall team to resolve the root cause.
- Take a snapshot of the vCenter before proceeding. For ELM setups, it is advised to take offline snapshots.
- SSH into the vCenter appliance and run the following command to fetch the certificate chain: openssl s_client -connect dl.broadcom.com:443 -showcerts
- Copy the complete certificate chain from the output — from:
-
- -----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE----- - Save it to a
.cerfile.
- -----BEGIN CERTIFICATE-----
- The file should contain the certificates in the following order:
-
The server certificate (not required)
-
The Intermediate Certificate
-
The Root Certificate
Example structure:
-----BEGIN CERTIFICATE-----
<Server Certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Intermediate Certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Root Certificate>
-----END CERTIFICATE-----
- In the vSphere Client, navigate to:
Administration > Certificates > Certificate Management > Trusted Root Certificates,
and upload the .cer file containing the Intermediate and Root certificates.
Note: If the Trusted Root Certificate has expired, you will need to fetch and import the updated certificate again
Additional Information
Remove certificates from trusted root store manually : https://knowledge.broadcom.com/external/article/326288/removing-ca-certificates-from-the-truste.html
Feedback
