Unable to import ISO files or patches from Update Manager via HTML5 client
Article ID: 316532
Updated On:
Products
VMware vCenter Server
VMware vSphere ESXi
Issue/Introduction
Symptoms:
- While Importing ISO file from Update manager via HTML5 client, operation ends/stops without any specific error message
- You see message similar to below in the virgo.log located at
In Appliance: /var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log
In Windows: C:\ProgramData\VMware\vCenterServer\logs\vsphere-ui\logs\vsphere_client_virgo.log
[2020-03-05T22:05:23.623Z] [ERROR] tp-nio-127.0.0.1-5090-exec-7 com.vmware.vum.client.upload.FileUploadClient Error while executing HTTP request javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
Environment
VMware vSphere ESXi 6.7
VMware vCenter Server 6.7.x
VMware vCenter Server 6.7.x
Cause
This issue occurs when the VUM SSL certificate is absent from the trusted roots keystore on the vCenter Server.
Resolution
1. Inspect the certificate from the VUM SSL URL https://<VUM SERVER>:9087/vum-fileupload/ in your browser. Replace port 9087 if you have configured a custom SSL port.
2. Run this command to list the trusted roots certificates on the vCenter Server:
vecs-cli entry list --store TRUSTED_ROOTS --text
3. Verify the certificate from step 1 is absent in the output from step 2.
Note: You can use the Subject Key Identifier for comparison
4. Export the certificate from step 1 to a file and copy it to a temporary location in the vCenter Server.
5. Run this command to add the certificate to the trusted roots keystore on the vCenter Server:
vecs-cli entry create --store TRUSTED_ROOTS --alias <unique name> --cert <path to certificate file>
6. You can now remove the certificate file.
7. Run this command to verify that the trusted roots keystore on the vCenter Server now includes the certificate
vecs-cli entry list --store TRUSTED_ROOTS --text
2. Run this command to list the trusted roots certificates on the vCenter Server:
vecs-cli entry list --store TRUSTED_ROOTS --text
3. Verify the certificate from step 1 is absent in the output from step 2.
Note: You can use the Subject Key Identifier for comparison
4. Export the certificate from step 1 to a file and copy it to a temporary location in the vCenter Server.
5. Run this command to add the certificate to the trusted roots keystore on the vCenter Server:
vecs-cli entry create --store TRUSTED_ROOTS --alias <unique name> --cert <path to certificate file>
6. You can now remove the certificate file.
7. Run this command to verify that the trusted roots keystore on the vCenter Server now includes the certificate
vecs-cli entry list --store TRUSTED_ROOTS --text
Feedback
Yes
No
Powered by
