Add new certificates to Trusted Roots for VCSA / Update Manager failing

Here is a problem that I came up against when trying to use Update Manager on my newly installed vCenter Server Appliance (VCSA). The same ‘fix’ would apply to those trying to perform an update of the VCSA/PSC itself.

If you get the notification below when trying to use Update Manager and you see Connectivity status failing – try the procedure below

patch definitions and patches cannot be accessed or have no patch data. Check the Internet connectivity.

First click on Download Settings in Update Manager / Manage and enter a proxy address if required. (See my previous post on setting the https proxy).  This is common for corporate networks where you probably do not have direct access out to the internet.

Try Update Manager again. If this fails we need to see a little more information on what is going wrong. For this we can log into the appliance and in bash type in the following

With this we are effectively trying to download that URL from the command line. If there are any issues, we will be able to see them and get any errors if there are any. If you see a result such as the one below where the certificate its referring to is not from VMware but one that looks local from your proxy server, you may well have SSL Interception enabled at your corporate proxy server.

WARNING: cannot verify's certificate
In this instance we can get around the issue by putting in an SSL Interception exception in at the proxy (ie. don’t intercept this URL) , or the better solution would be to get the appliance to trust the certificate presented by the proxy. You can achieve this by importing in the relevant certificates needed to trust the presented certificate, for me that was the Root and Issuing certificates. This is how that was done on the VCSA appliance:

First list the available stores

Show number of entries in a particular store, eg TRUSTED_ROOTS, which is where we will want to import out certificates.

Add entry to TRUSTED_ROOTS. (Use WinSCP or equivalent to copy your certificates to the appliance, in the example below I have copied to /certs)

New number of entries in TRUSTED_ROOTS

Notice now that the number of certificates has increased to 6. Retry the wget command you should find that it completes successfully and Update Manager is able to succefully connect!

Useful Links

Leave a Reply

Your email address will not be published. Required fields are marked *