Certificate validation fails during Depot setup in VMware Cloud Foundation Fleet Management when using a Proxy
Article ID: 427845
Updated On:
Products
VCF Operations
Issue/Introduction
When configuring a Depot in VCF Fleet Management in an environment where a proxy server is in use, the following behaviors are observed:
- Clicking “View Certificate Details” results in a validation error. "
- The error message persists in the user interface even after the depot is fully active.
- Despite the validation error, the depot is able to successfully connect, and product binary downloads complete without issues.
- The
- Clicking “View Certificate Details” results in a validation error. "
Connection failed - Network is unreachable (connect failed) "- The error message persists in the user interface even after the depot is fully active.
- Despite the validation error, the depot is able to successfully connect, and product binary downloads complete without issues.
- The
/var/log/vrlcm/vmware_vrlcm.log file displays a network connectivity error when the certificate check is triggered:INFO vrlcm[1241] [http-nio-8080-exec-6] [c.v.v.l.l.c.CertificateManagementController] -- Request received to get certificate from https://dl.broadcom.com
INFO vrlcm[1241] [http-nio-8080-exec-6] [c.v.v.l.l.s.CertificateManagementService] -- Fetching certificate from https://dl.broadcom.com
INFO vrlcm[1241] [http-nio-8080-exec-6] [c.v.v.l.u.CertificateUtil] -- Endpoint : https://dl.broadcom.com
ERROR vrlcm[1241] [http-nio-8080-exec-6] [c.v.v.l.u.CertificateUtil] -- IOException occurred - Network is unreachable (connect failed)Environment
VCF Operations 9.0.x
VCF Fleet Management 9.0.x
VCF Fleet Management 9.0.x
Cause
The issue is caused by the component responsible for retrieving certificate details (CertificateUtil) attempting to connect directly to the depot endpoint https://dl.broadcom.com without applying the configured system proxy settings. However, the actual file download service does correctly utilize the proxy configuration. This results in a "False Positive" scenario where the certificate validation fails due to the missing proxy route, but the functional task of downloading content succeeds.
Resolution
Since this is a validation-only error and does not affect the functionality of the product, no action is required if the depot downloads are completing successfully.
However, to resolve the error message or allow the "View Certificate Details" feature to function, you can implement the following workaround:
Whitelist the Depot FQDN: Update your network firewall or gateway rules to whitelist the depot Fully Qualified Domain Name
dl.broadcom.com. This allows VCF Fleet Management to reach the endpoint directly, bypassing the need for the proxy during the certificate validation check.Additional Information
Feedback
Yes
No
Powered by
