Adding a new online depot to vCenter Server 7.0 U2C and above vCenter Life Cycle Manager fails due to "self signed certificate" error
search cancel

Adding a new online depot to vCenter Server 7.0 U2C and above vCenter Life Cycle Manager fails due to "self signed certificate" error

book

Article ID: 313814

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
  • Adding a new online depot to vCenter Life Cycle Manager from UI or via REST API, you see an error message similar to :
"Online Depot URL '<your-online-depot-URL>' is not valid or cannot be reached now."
  • This issue is impacting managing ESXi Hosts through either vLCM Baselines or vLCM Images.
  • You may see the below entries similar to the below in vmware-vum-server.log file 
Note: You can find the vmware-vum-server.log in /var/log/vmware/vmware-updatemgr/vum-server/vmware-vum-server.log

2021-07-07T21:02:50.770Z info vmware-vum-server[34922] [Originator@6876 sub=DepotsUtil] [DepotsUtil 1121] Testing online URL: <your-online-depot-URL>
...
2021-07-07T21:02:50.773Z info vmware-vum-server[34856] [Originator@6876 sub=DownloadMgr] [downloadMgr 668] Executing download job {140679180444672}, url=<your-online-depot-URL>
...
2021-07-07T21:02:50.820Z verbose vmware-vum-server[34856] [Originator@6876 sub=httpDownload] [httpDownloadPosix 182] * Connected to <your-online-depot-server-name> (<your-online-depot-server-IP>) port 443 (#19)
2021-07-07T21:02:50.820Z verbose vmware-vum-server[34856] [Originator@6876 sub=httpDownload] [httpDownloadPosix 182] * ALPN, offering http/1.1
2021-07-07T21:02:50.820Z verbose vmware-vum-server[34856] [Originator@6876 sub=httpDownload] [httpDownloadPosix 182] * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
2021-07-07T21:02:50.830Z verbose vmware-vum-server[34856] [Originator@6876 sub=httpDownload] [httpDownloadPosix 182] * successfully set certificate verify locations:
2021-07-07T21:02:50.830Z verbose vmware-vum-server[34856] [Originator@6876 sub=httpDownload] [httpDownloadPosix 182] * CAfile: /etc/pki/tls/certs/ca-bundle.crt
2021-07-07T21:02:50.830Z verbose vmware-vum-server[34856] [Originator@6876 sub=httpDownload] [httpDownloadPosix 182] * CApath: /etc/ssl/certs
2021-07-07T21:02:50.882Z verbose vmware-vum-server[34856] [Originator@6876 sub=httpDownload] [httpDownloadPosix 182] * SSL certificate problem: self signed certificate
2021-07-07T21:02:50.883Z verbose vmware-vum-server[34856] [Originator@6876 sub=httpDownload] [httpDownloadPosix 182] * Closing connection 19
2021-07-07T21:02:50.887Z error vmware-vum-server[34856] [Originator@6876 sub=httpDownload] [httpDownloadPosix 685] curl_easy_perform() failed: cURL Error: SSL peer certificate or SSH remote key was not OK, SSL certificate problem: self signed certificate

Note: The preceding log excerpts are only examples. The date, time, and environmental variables may vary depending on your environment.

Environment

VMware vCenter Server 7.0.x

Cause


The configured online depot server used a self-signed certificate and so vLCM cannot fetch information.

Resolution

Online depot server needs to be configured to have signed certificate signed by root CA or provide a chain of certificates that are signed root CA.

Workaround:
As a workaround, install-cert command can be run on vCenter to temporarily add the Online Server Depot Self Signed Certificate to the SSL Certificate folder on vCenter

WARNING: You can only apply the workaround if you are accepting the Online Depot Self Signed Certificate to be installed on the vCenter.

To add the the self signed certificate to the vCenter Certificates Store, please follow the below steps: 
  1. Login to VCSA through SSH using root.
  2. Run the below command:
/usr/lib/vmware-updatemgr/bin/updatemgr-utility.py install-cert <your-online-depot-server-name-or-IP>

To remove the the self signed certificate to the vCenter Certificates Store, please follow the below steps: 
  1. Login to VCSA through SSH using root.
  2. Run the below command:
/usr/lib/vmware-updatemgr/bin/updatemgr-utility.py uninstall-cert <your-online-depot-server-name-or-IP>







Additional Information

For more information about vCenter Build numbers, see Build numbers and versions of VMware vCenter Server .