Skip to content

Home

Jump to bottom
ketchup57 edited this page Oct 10, 2025 · 1 revision

Welcome to the VCF9-Scripts wiki!

Additional Notes For VCF 9 offline depot configuration.

When following any of the vcf 9 offline depot mention by some great folks. (William Lam, Here, Broadcom, Here, Vmware Blog, Here )

There is continue mentions of importing the self-signed certificate, and or your enterprise CA certificates into the different trusted key stores mentioned in this article. https://knowledge.broadcom.com/external/article?legacyId=77262

keytool -importcert -alias <aliasname> -file <certificate file> -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store

Run the below command to import the Proxy certificate into the java trust store

keytool -importcert -alias <aliasname> -file <certificate file> -keystore /etc/alternatives/jre/lib/security/cacerts --storepass changeit

These keystores are needed to be able to download the overall vcf binaries packages for upgrades, install, and patching images. This however does not fix the issues with syncing the esxi components and 3rd party partner vibs when utilizing this portion of the vcf-download-tool. VCF Download Tool Update Manager Download Service (UMDS) Commands

If you have these files downloaded and exported to your existing offline depot configured for the url https://<hostname/ipaddress>/umds-patch-store (SDDC Manager looks for umds-patch-store specifically in the vvsconfig.json)

example:

https://vcf-offlinedepot.lab.local:443/umds-patch-store/hostupdate/__hostupdate20-consolidated-index__.xml

I have an nginx conf that I can share to have all the proper redirects for PROD, etc and .htpasswd file to work with sddc manager. Just let me know.

When you try and sync the ESXi Components, you will most likely get a failed task on the operations center. If you review the SDDC log
cat /var/log/vmware/vmware-updatemgr/umds/vmware-downloadService.log

You should see something similar in the following log.


2025-10-09T16:22:10.322Z info vmware-downloadService[959155] [Originator@6876 sub=ThreadPool] Entering worker thread loop
2025-10-09T16:22:10.322Z verbose vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 472] GetEasy() needs to allocate new CURL
2025-10-09T16:22:10.323Z verbose vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 695] Unset CURLOPT_PROXY
2025-10-09T16:22:10.323Z verbose vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 707] Unset CURLOPT_NOPROXY
2025-10-09T16:22:10.323Z verbose vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 759] Setup callback for SSL connections.
2025-10-09T16:22:10.325Z verbose vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 189] * Host vcf-offlinedepot.lab.local:443 was resolved.
2025-10-09T16:22:10.325Z verbose vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 189] * IPv6: (none)
2025-10-09T16:22:10.325Z verbose vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 189] * IPv4: 10.10.254.194
2025-10-09T16:22:10.325Z verbose vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 189] *   Trying 10.10.254.194:443...
2025-10-09T16:22:10.368Z verbose vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 189] *  CAfile: /etc/pki/tls/certs/ca-bundle.crt
2025-10-09T16:22:10.368Z verbose vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 189] *  CApath: /etc/ssl/certs
2025-10-09T16:22:10.368Z verbose vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 189] * ALPN: curl offers http/1.1
2025-10-09T16:22:10.384Z verbose vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 189] * SSL certificate problem: self-signed certificate in certificate chain
2025-10-09T16:22:10.384Z verbose vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 189] * closing connection #0
2025-10-09T16:22:10.385Z error vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 782] curl_easy_perform() failed: cURL Error: SSL peer certificate or SSH remote key was not OK, SSL certificate problem: self-signed certificate in certificate chain
2025-10-09T16:22:10.388Z error vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 782] [backtrace begin] product: VMware vSphere Update Manager Download Service, version: 9.0.0, build: build-24695687, tag: vmware-downloadService, cpu: x86_64, os: linux, buildType: release

--> [backtrace end]
2025-10-09T16:22:10.388Z verbose vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 756] Cleanup SSL context
2025-10-09T16:22:10.388Z error vmware-downloadService[959145] [Originator@6876 sub=DownloadMgr] [downloadMgr 709] Executing download job {139698576042880} throws error: curl_easy_perform() failed: cURL Error: SSL peer certificate or SSH remote key was not OK, SSL certificate problem: self-signed certificate in certificate chain
2025-10-09T16:22:10.388Z error vmware-downloadService[959154] [Originator@6876 sub=Default] [updateDownloaderImpl 116] File download error: curl_easy_perform() failed: cURL Error: SSL peer certificate or SSH remote key was not OK, SSL certificate problem: self-signed certificate in certificate chain

The fix is to upload the self-signed / trusted enterprised CA certificate chain to /etc/ssl/certs

from there run /usr/bin/rehash_ca_certificates.sh

and it will update the ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt

Clone this wiki locally