Error: "A depot is inaccessible or has invalid contents" when attempting to sync or download updates in Lifecycle Manager
search cancel

Error: "A depot is inaccessible or has invalid contents" when attempting to sync or download updates in Lifecycle Manager

book

Article ID: 366910

calendar_today

Updated On: 04-29-2025

Products

VMware vCenter Server

Issue/Introduction

  • Unable to sync or download updates in vCenter Lifecycle Manager.
  • vSphere Client displays:

    A general system error occurred: A depot is inaccessible or has invalid contents. Make sure an official depot source is used and verify connection to the depot

  • In /var/log/vmware/vmware-updatemgr/vum-server/vmware-vum-server.log, the following events are reported,

YYYY-MM-DDTHH:MM:SS.087+11:00 verbose vmware-vum-server[36469] [Originator@6876 sub=httpDownload] [httpDownloadPosix 188] * Recv failure: Connection reset by peer
YYYY-MM-DDTHH:MM:SS.087+11:00 verbose vmware-vum-server[36469] [Originator@6876 sub=httpDownload] [httpDownloadPosix 188] * OpenSSL SSL_connect: Connection reset by peer in connection to hostupdate.vmware.com:443
YYYY-MM-DDTHH:MM:SS.087+11:00 verbose vmware-vum-server[36469] [Originator@6876 sub=httpDownload] [httpDownloadPosix 188] * Closing connection

YYYY-MM-DDTHH:MM:SS] warning vmware-vum-server[28824] [Originator@6876 sub=VumVapi::Lib::Utils] [EmbeddedPyServiceProvider 472] Connecting to https://hostupdate.vmware.com/software/VUM/PRODUCTION/addon-main/vmw-depot-index.xml failed, err: curl_easy_perform() failed: cURL Error: Timeout was reached, Failed to connect to hostupdate.vmware.com port 443 after 3001 ms: Timeout was reached
[YYYY-MM-DDTHH:MM:SS] warning vmware-vum-server[28824] [Originator@6876 sub=VumVapi::Lib::Utils] [EmbeddedPyServiceProvider 425] Failed 10 times when connecting online depot https://hostupdate.vmware.com/software/VUM/PRODUCTION/addon-main/vmw-depot-index.xml
[YYYY-MM-DDTHH:MM:SS] error vmware-vum-server[28824] [Originator@6876 sub=ServiceProvider] [EmbeddedPyServiceProvider 1570] At least one online depot is  not accessible: https://hostupdate.vmware.com/software/VUM/PRODUCTION/addon-main/vmw-depot-index.xml, https://hostupdate.vmware.com/software/VUM/PRODUCTIO
N/main/vmw-depot-index.xml, https://hostupdate.vmware.com/software/VUM/PRODUCTION/iovp-main/vmw-depot-index.xml, https://hostupdate.vmware.com/software/VUM
/PRODUCTION/vmtools-main/vmw-depot-index.xml
[YYYY-MM-DDTHH:MM:SS] error vmware-vum-server[28824] [Originator@6876 sub=com.vmware.vcIntegrity.lifecycle.SyncDepotsTask] [SyncDepotsTask 221] Failed to sync depots. Merged depot content is invalid: Error:
-->    com.vmware.vapi.std.errors.error
--> Messages:
-->    com.vmware.vcIntegrity.lifecycle.depotContent.ValidationError<A depot is inaccessible or has invalid contents. Make sure an official depot source is
 used and verify connection to the depot.>
--> 
[YYYY-MM-DDTHH:MM:SS] info vmware-vum-server[28824] [Originator@6876 sub=com.vmware.vcIntegrity.lifecycle.SyncDepotsTask] [Task, 524] Task:com.vmware.vcIntegrity.lifecycle.SyncDepotsTask ID:52389bf9-1bef-5bbe-1c75-02d99f916369. Finalizing Task
[YYYY-MM-DDTHH:MM:SS] info vmware-vum-server[28824] [Originator@6876 sub=com.vmware.vcIntegrity.lifecycle.SyncDepotsTask] [Task, 524] Task:com.vmware.vcIntegrity.lifecycle.SyncDepotsTask ID:52389bf9-1bef-5bbe-1c75-02d99f916369. Task Finalization completed.
[YYYY-MM-DDTHH:MM:SS] error vmware-vum-server[28824] [Originator@6876 sub=com.vmware.vcIntegrity.lifecycle.SyncDepotsTask] [Task, 524] Task:com.vmware.vcIntegrity.lifecycle.SyncDepotsTask ID:52389bf9-1bef-5bbe-1c75-02d99f916369. Task Failed. Error: Error:
-->    com.vmware.vapi.std.errors.error
--> Messages:
-->    com.vmware.vcIntegrity.lifecycle.depotContent.ValidationError<A depot is inaccessible or has invalid contents. Make sure an official depot source is used and verify connection to the depot.>
--> 
[YYYY-MM-DDTHH:MM:SS] warning vmware-vum-server[28726] [Originator@6876 sub=TaskStatsCollector] [taskStatsCollector 190] Task type or creation time not present
[YYYY-MM-DDTHH:MM:SS] info vmware-vum-server[28824] [Originator@6876 sub=PM.AsyncTask.SyncDepotsTask{10}] [vciTaskBase 1496] SerializeToVimFault fault:
--> (vmodl.fault.SystemError) {
-->    faultCause = (vmodl.MethodFault) null, 
-->    faultMessage = (vmodl.LocalizableMessage) [
-->       (vmodl.LocalizableMessage) {
-->          key = "com.vmware.vcIntegrity.lifecycle.depotContent.ValidationError", 
-->          arg = <unset>, 
-->          message = <unset>
-->       }
-->    ], 
-->    reason = "vLCM Task failed, see Error Stack for details."
-->    msg = "{
-->     "data": null,
-->     "error_type": "ERROR",
-->     "messages": [
-->         {
-->             "args": [],
-->             "default_message": "A depot is inaccessible or has invalid contents. Make sure an official depot source is used and verify connection to the depot.",
-->             "id": "com.vmware.vcIntegrity.lifecycle.depotContent.ValidationError"
-->         }
-->     ]
--> }"
--> }
--> Converted fault:
--> (vim.fault.ExtendedFault) {
-->    faultCause = (vmodl.MethodFault) null, 
-->    faultMessage = (vmodl.LocalizableMessage) [
-->       (vmodl.LocalizableMessage) {
-->          key = "com.vmware.vcIntegrity.lifecycle.depotContent.ValidationError", 
-->          arg = <unset>, 
-->          message = <unset>
-->       }
-->    ], 
-->    faultTypeId = "SystemError", 
-->    data = (vim.KeyValue) [
-->       (vim.KeyValue) {
-->          key = "faultCause", 
-->          value = ""
-->       }, 
-->       (vim.KeyValue) {
-->          key = "reason", 
-->          value = "vLCM Task failed, see Error Stack for details."
-->       }
-->    ]
-->    msg = "{
-->     "data": null,
-->     "error_type": "ERROR",
-->     "messages": [
-->         {
-->             "args": [],
-->             "default_message": "A depot is inaccessible or has invalid contents. Make sure an official depot source is used and verify connection to the depot.",
-->             "id": "com.vmware.vcIntegrity.lifecycle.depotContent.ValidationError"
-->         }
-->     ]
--> }"
--> }

Cause

vCenter Server is unable to reach hostupdate.vmware.com to download patches. This error appears if:

  • A firewall is blocking traffic between vCenter Server and https://hostupdate.vmware.com
  • A proxy server is not allowing traffic to hostupdate.vmware.com

Resolution

  • Add the allow rules in firewall to allow HTTPS and HTTP (443 and 80) traffic from VC to hostupdate.vmware.com.

IPv4
162.159.140.167
172.66.0.165

IPv6
2a06:98c1:58::a5
2606:4700:7::a5

  • Refer to Public IP list for VMware Update Manager (IP Addresses of hostupdate.vmware.com) for the IP changes.
  • Confirm if vCenter Server reach hostupdate.vmware.com by running:

    curl -v "https://hostupdate.vmware.com/software/VUM/PRODUCTION/addon-main/vmw-depot-index.xml"

  • Review if vCenter Server uses a proxy server to connect to the internet
  • Does the proxy server allow connections to hostupdate.vmware.com?
  • Use the below curl command to validate access through the proxy server:

    curl -v -x "https://proxyserver:port" "https://hostupdate.vmware.com/software/VUM/PRODUCTION/addon-main/vmw-depot-index.xml"

Additional Information

  • The same errors can be seen when using 3rd party depots in LCM as additional Download sources.
  • If these 3rd party Depots have access issues, then the same behavior and errors noted above can be seen.
  • vCenter Server logs will be similar to below:

File Path: /var/log/vmware/envoy/envoy-access.log

[YYYY-MM-DDTHH:MM:SS] info envoy[2101] [Originator@6876 sub=Default]

[YYYY-MM-DDTHH:MM:SS] GET /plugins/com.hpe.hsm.plugin~1.4.0.0~-261568790/###.###.###.###-443/addonservices/hpehsm/vendor.bundle.js HTTP/2 200 via_upstream - 0 780
142 274 15 258 ###.###.###.###:51672 TLSv1.2 ###.###.###.###:443 ###.###.###.###:41942 TLSv1.2 ###.###.###.###:443

Filepath: /var/log/vmware/vmware-updatemgr/vum-server/vmware-vum-server.log

[YYYY-MM-DDTHH:MM:SS] verbose vmware-vum-server[14323] [Originator@6876 sub=httpDownload] [httpDownloadPosix 624] Unset CURLOPT_PROXY
[YYYY-MM-DDTHH:MM:SS] verbose vmware-vum-server[14323] [Originator@6876 sub=httpDownload] [httpDownloadPosix 630] Set CURLOPT_NOPROXY as no_proxy: localhost, 127.0.0.1
[YYYY-MM-DDTHH:MM:SS] verbose vmware-vum-server[14323] [Originator@6876 sub=httpDownload] [httpDownloadPosix 181] * Trying ###.###.###.###:443...
[YYYY-MM-DDTHH:MM:SS] verbose vmware-vum-server[14323] [Originator@6876 sub=httpDownload] [httpDownloadPosix 181] * Connected to xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) port 443 (#3)
[YYYY-MM-DDTHH:MM:SS] verbose vmware-vum-server[14323] [Originator@6876 sub=httpDownload] [httpDownloadPosix 181] * ALPN: offers http/1.1
[YYYY-MM-DDTHH:MM:SS] verbose vmware-vum-server[14323] [Originator@6876 sub=httpDownload] [httpDownloadPosix 181] * CAfile: /etc/pki/tls/certs/ca-bundle.crt
[YYYY-MM-DDTHH:MM:SS] verbose vmware-vum-server[14323] [Originator@6876 sub=httpDownload] [httpDownloadPosix 181] * CApath: /etc/ssl/certs
[YYYY-MM-DDTHH:MM:SS] verbose vmware-vum-server[14323] [Originator@6876 sub=httpDownload] [httpDownloadPosix 181] * SSL certificate problem: certificate has expired
[YYYY-MM-DDTHH:MM:SS] verbose vmware-vum-server[14323] [Originator@6876 sub=httpDownload] [httpDownloadPosix 181] * Closing connection 3
[YYYY-MM-DDTHH:MM:SS] error vmware-vum-server[14323] [Originator@6876 sub=httpDownload] [httpDownloadPosix 685] curl_easy_perform() failed: cURL Error: SSL peer certificate or SSH remote key was not OK, SSL certificate problem: certificate has expired

  • To resolve this issue:
    • Verify if the required certs for this 3rd party depot are valid.
    • Alternatively, the depot can be disabled or removed and the update can be retried.

  • Seeing error " error vmware-vum-server[14323] [Originator@6876 sub=httpDownload] [httpDownloadPosix 685] curl_easy_perform() failed: cURL Error: SSL peer certificate or SSH remote key was not OK, SSL certificate problem: certificate has expired " Could also indicate networking issues if there is no 3rd party depot. To check this:
    • Run curl -vvv https://hostupdate.vmware.com
    • Run openssl s_client -connect hostupdate.vmware.com:443

The output should look like:

# openssl s_client -connect hostupdate.vmware.com:443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C = US, ST = California, L = Palo Alto, O = Broadcom Inc., CN = hostupdate.vmware.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = Palo Alto, O = Broadcom Inc., CN = hostupdate.vmware.com
   i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Month DD HH:MM:SS YYYY GMT; NotAfter: Month DD HH:MM:SS YYYY GMT
 1 s:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Month DD HH:MM:SS YYYY GMT; NotAfter: Month DD HH:MM:SS YYYY GMT
---

    • If the output is not signed by Digicert, then the environment is experiencing an SSL interference. The internal networking team will need to be engaged.
Powered by Wolken Software