When a customer configures an HTTP/HTTPS proxy with SSL Bump (SSL Inspection) or an HTTPS Offline Depot in SDDC Manager for use with UMDS (Update Manager Download Service), UMDS synchronization fails. This occurs even when the proxy/depot is correctly configured in SDDC Manager.

Symptoms:

• UMDS download operations fail in the VCF Operations or SDDC Manager UI.

• The lcm-debug.log indicates protocol failures or connection issues when attempting to communicate through the proxy or depot.

• The following SSL verification error is frequently observed in the logs: 

  cURL Error: SSL peer certificate or SSH remote key was not OK, SSL certificate problem: unable to get local issuer certificate

VMware Cloud Foundation 9.0.x / 9.1.x

UMDS (Update Manager Download Service)

Environments using one of the following:

• An HTTP/HTTPS proxy performing SSL-Bump (SSL Inspection) that requires a custom CA certificate.

• An HTTPS Offline Depot that requires a custom CA certificate.

This issue is caused by a combination of the following factors depending on the environment:

1. Missing OS-Level Trust
   The vmware-umds binary requires the custom CA certificate to be explicitly added to the SDDC Manager OS-level trust store, not just the Java keystore. The procedure outlined in KB 316072 (How to import Proxy server certificate to SDDC manager trust store) does not install the certificate to the OS-level trust store.

2. Proxy Protocol Gap (VCF 9.1):
   HTTPS Proxy support has been available in UMDS since VCF 9.1. However, the SDDC Manager proxy configuration transfer protocol (https://) is not automatically passed onto the UMDS binary.

Part 1: Update the OS Trust Store (Required for ALL VCF 9.0 and 9.1 configurations with custom CA)
To resolve the SSL certificate error, the CA certificate must be manually added to the SDDC Manager OS trust store.

1. SSH into the SDDC Manager appliance as vcf and switch to root.

2. Prepare your Proxy or Offline Depot CA certificate in PEM format with a .pem extension (e.g., proxy_ca.pem).

3. Copy the .pem file to the following directory: /etc/ssl/certs/

4. Execute the following system script to update the trust store: /usr/bin/rehash_ca_certificates.sh

5. Retry the UMDS synchronization from the UI (for VCF 9.0) or proceed to Part 2 (for VCF 9.1 with HTTPS Proxy).

Part 2: Manual UMDS Invocation (Required ONLY for VCF 9.1 with HTTPS Proxy)
For VCF 9.1, because UMDS and SDDC Manager proxy protocol configurations are not fully integrated, you must manually invoke UMDS commands by explicitly specifying the HTTPS proxy after completing Part 1.
Note: This step is not required for Offline Depot configurations.

Example: --proxy-ip https://<proxy_ip_or_hostname>

Complete command example:

./vmware-umds -D -m --info-level error --proxy-username proxy_user --proxy-password proxy_password --proxy-port 3131 --proxy-ip https://###.###.###.###

SDDC Manager で SSL Bump を使用する HTTP/HTTPS プロキシ、または HTTPS オフライン デポを使用すると UMDS ESXi コンポーネントの同期に失敗する