VMware Update Manager download service fails to download files from HTTPS repositories
Article ID: 320037
Updated On:
Products
VMware
Issue/Introduction
Symptoms:
- when using UMDS 6.5 to download patches within RedHat Linux Enterprise Linux system (RHEL), UMDS is unable to download from the VMware online depots over HTTPS repositories.
- When attempting to download updates with Update Manager Download Service 6.5 on a RHEL 7.x system, you see a message similar to:
[root@umds ~]# /usr/local/vmware-umds/bin/vmware-umds -D
INFO -izing connection pool
INFO - ed to DSN OK
INFO - ring sequences
INFO - ing database version
Startingdownload of updates ...
INFO - ng download job {140674137613632}, url=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
ERROR - y_perform() failed: cURL Error: Peer certificate cannot be authenticated with given CA certificates, SSL certificate problem: unable to get local issuer certificate
ERROR - g download job {140674137613632} throwserror: curl_easy_perform() failed: cURL Error: Peer certificate cannot be authenticated with given CA certificates, SSL certificate problem: unable to get local issuer certificate
INFO - d failed but destination file /tmp/vcinO6QQA exists and is valid. Ignoring error
INFO - d job {140674137613632} finished, bytes downloaded = 0
INFO -izing connection pool
INFO - ed to DSN OK
INFO - ring sequences
INFO - ing database version
Startingdownload of updates ...
INFO - ng download job {140674137613632}, url=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
ERROR - y_perform() failed: cURL Error: Peer certificate cannot be authenticated with given CA certificates, SSL certificate problem: unable to get local issuer certificate
ERROR - g download job {140674137613632} throwserror: curl_easy_perform() failed: cURL Error: Peer certificate cannot be authenticated with given CA certificates, SSL certificate problem: unable to get local issuer certificate
INFO - d failed but destination file /tmp/vcinO6QQA exists and is valid. Ignoring error
INFO - d job {140674137613632} finished, bytes downloaded = 0
- In /var/log/vmware/vmware-updatemgr/umds/vmware-downloadService-log4cpp.log, you see entries similar to:
2017-06-08 06:17:44:473 'DownloadMgr' 140675026552576 INFO] [downloadMgr, 601] Executing download job {140674137613632}, url=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
[2017-06-08 06:17:44:474 'httpDownload' 140675026552576 DEBUG] [httpDownloadPosix, 354] GetEasy() needs to allocate new CURL
[2017-06-08 06:17:44:548 'httpDownload' 140675026552576 DEBUG] [httpDownloadPosix, 167] * Trying 2001:559:19:988f::2ef...
[2017-06-08 06:17:44:548 'httpDownload' 140675026552576 DEBUG] [httpDownloadPosix, 167] * Immediate connect fail for 2001:559:19:988f::2ef: Network is unreachable
[2017-06-08 06:17:44:548 'httpDownload' 140675026552576 DEBUG] [httpDownloadPosix, 167] * Trying 2001:559:19:9884::2ef...
[2017-06-08 06:17:44:548 'httpDownload' 140675026552576 DEBUG] [httpDownloadPosix, 167] * Immediate connect fail for 2001:559:19:9884::2ef:
Network is unreachable
[2017-06-08 06:17:44:548 'httpDownload' 140675026552576 DEBUG] [httpDownloadPosix, 167] * Trying 184.25.207.49...
[2017-06-08 06:17:44:562 'httpDownload' 140675026552576 DEBUG] [httpDownloadPosix, 167] * Connected to hostupdate.vmware.com (184.25.207.49) port 443 (#0)
[2017-06-08 06:17:44:563 'httpDownload' 140675026552576 DEBUG] [httpDownloadPosix, 167] * ALPN, offering http/1.1
[2017-06-08 06:17:44:563 'httpDownload' 140675026552576 DEBUG] [httpDownloadPosix, 167] * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
[2017-06-08 06:17:44:563 'httpDownload' 140675026552576 DEBUG] [httpDownloadPosix, 167] * successfully set certificate verify locations:
[2017-06-08 06:17:44:563 'httpDownload' 140675026552576 DEBUG] [httpDownloadPosix, 167] * CAfile: none
[2017-06-08 06:17:44:563 'httpDownload' 140675026552576 DEBUG] [httpDownloadPosix, 167] CApath: /etc/ssl/certs
[2017-06-08 06:17:44:584 'httpDownload' 140675026552576 DEBUG] [httpDownloadPosix, 167] * SSL certificate problem: unable to get local issuer certificate
[2017-06-08 06:17:44:584 'httpDownload' 140675026552576 DEBUG] [httpDownloadPosix, 167] * Closing connection 0
[2017-06-08 06:17:44:584 'httpDownload' 140675026552576 ERROR] [httpDownloadPosix, 606] curl_easy_perform() failed: cURL Error: Peer certificate cannot be authenticated with given CA certificates, SSL certificate problem: unable to get local issuer certificate
[2017-06-08 06:17:44:585 'DownloadMgr' 140675026552576 ERROR] [downloadMgr, 627] Executing download job {140674137613632} throws error: curl_easy_perform() failed: cURL Error: Peer certificate cannot be authenticated with given CA certificates, SSL certificate problem: unable to get local issuer certificate
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
[2017-06-08 06:17:44:474 'httpDownload' 140675026552576 DEBUG] [httpDownloadPosix, 354] GetEasy() needs to allocate new CURL
[2017-06-08 06:17:44:548 'httpDownload' 140675026552576 DEBUG] [httpDownloadPosix, 167] * Trying 2001:559:19:988f::2ef...
[2017-06-08 06:17:44:548 'httpDownload' 140675026552576 DEBUG] [httpDownloadPosix, 167] * Immediate connect fail for 2001:559:19:988f::2ef: Network is unreachable
[2017-06-08 06:17:44:548 'httpDownload' 140675026552576 DEBUG] [httpDownloadPosix, 167] * Trying 2001:559:19:9884::2ef...
[2017-06-08 06:17:44:548 'httpDownload' 140675026552576 DEBUG] [httpDownloadPosix, 167] * Immediate connect fail for 2001:559:19:9884::2ef:
Network is unreachable
[2017-06-08 06:17:44:548 'httpDownload' 140675026552576 DEBUG] [httpDownloadPosix, 167] * Trying 184.25.207.49...
[2017-06-08 06:17:44:562 'httpDownload' 140675026552576 DEBUG] [httpDownloadPosix, 167] * Connected to hostupdate.vmware.com (184.25.207.49) port 443 (#0)
[2017-06-08 06:17:44:563 'httpDownload' 140675026552576 DEBUG] [httpDownloadPosix, 167] * ALPN, offering http/1.1
[2017-06-08 06:17:44:563 'httpDownload' 140675026552576 DEBUG] [httpDownloadPosix, 167] * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
[2017-06-08 06:17:44:563 'httpDownload' 140675026552576 DEBUG] [httpDownloadPosix, 167] * successfully set certificate verify locations:
[2017-06-08 06:17:44:563 'httpDownload' 140675026552576 DEBUG] [httpDownloadPosix, 167] * CAfile: none
[2017-06-08 06:17:44:563 'httpDownload' 140675026552576 DEBUG] [httpDownloadPosix, 167] CApath: /etc/ssl/certs
[2017-06-08 06:17:44:584 'httpDownload' 140675026552576 DEBUG] [httpDownloadPosix, 167] * SSL certificate problem: unable to get local issuer certificate
[2017-06-08 06:17:44:584 'httpDownload' 140675026552576 DEBUG] [httpDownloadPosix, 167] * Closing connection 0
[2017-06-08 06:17:44:584 'httpDownload' 140675026552576 ERROR] [httpDownloadPosix, 606] curl_easy_perform() failed: cURL Error: Peer certificate cannot be authenticated with given CA certificates, SSL certificate problem: unable to get local issuer certificate
[2017-06-08 06:17:44:585 'DownloadMgr' 140675026552576 ERROR] [downloadMgr, 627] Executing download job {140674137613632} throws error: curl_easy_perform() failed: cURL Error: Peer certificate cannot be authenticated with given CA certificates, SSL certificate problem: unable to get local issuer certificate
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
- Running curl manually against the reported URL pulls down the XML file without issue.
- Adding the Intermediate CA and Root CA certificates to /etc/ssl/certs results in no change in behavior.
Cause
The issue is caused when CA certificates are stored in different places in different operation systems. UMDS source code uses a way to find out CA certificates for Ubuntu rather than RHEL.
Resolution
This issue is resolved in vCenter Server 6.5 U2, available at VMware Downloads.
Workaround:
To workaround this issue:
Option 1
Option 2
Replace the included libcurl.so.4 library module with a symbolic link pointing to the one currently on the system.
Workaround:
To workaround this issue:
Option 1
- Open downloadConfig.xml file from /usr/local/vmware-umds/bin.
- Update the urls from https to http in HostConfig.
Option 2
Replace the included libcurl.so.4 library module with a symbolic link pointing to the one currently on the system.
$ mv /usr/local/vmware-umds/lib/libcurl.so.4 /usr/local/vmware-umds/lib/libcurl.so.4.backup$ ln -s /usr/lib64/libcurl.so.4 /usr/local/vmware-umds/lib/libcurl.so.4Feedback
Yes
No
Powered by
