VMware Cloud Community
Perttu
Enthusiast
Enthusiast
Jump to solution

vCenter 6.7U2 online update to 67U2a from VAMI fails in manifest verification.

Hi,

VAMI gives this user friendly error:

Error in method invocation ({'id': 'com.vmware.appliance.update.manifest_verification_failed', 'args': [], 'default_message': 'Manifest verification failed'}, 'Verification Failure\n', '')

And while searching through applmgmt logs from the shell, these following lines appear to be related to this error

019-05-17T12:13:54.960 [3641]DEBUG:vmware.appliance.update.update_functions:Running /usr/bin/wget --no-check-certificate --connect-timeout 10 -P /storage/core/software-update/tmp/lates

t https://vapp-updates.vmware.com/vai-catalog/valm/vmw/8d167796-34d5-4899-be0a-6daade4005a3/6.7.0.3000...

2019-05-17T12:13:55.70 [3641]DEBUG:vmware.appliance.update.update_functions:WGET: https://vapp-updates.vmware.com/vai-catalog/valm/vmw/8d167796-34d5-4899-be0a-6daade4005a3/6.7.0.3000...

atest/manifest/manifest-latest.xml.sha256

2019-05-17T12:13:55.71 [3641]DEBUG:vmware.appliance.update.update_functions:Error reading fss override file [Errno 2] No such file or directory: '/etc/vmware/vsphereFeatures/b2b_fss_ove

rride.json'

2019-05-17T12:13:55.71 [3641]DEBUG:vmware.appliance.update.update_functions:Returning override switch updateAllowUnsecureUrl = None

2019-05-17T12:13:55.75 [3641]DEBUG:vmware.appliance.networking.proxy.proxy_impl:method=get, protocol=https

2019-05-17T12:13:55.76 [3641]DEBUG:vmware.appliance.update.update_functions:Policy not set.

2019-05-17T12:13:55.77 [3641]DEBUG:vmware.appliance.update.update_functions:Running /usr/bin/wget --no-check-certificate --connect-timeout 10 -P /storage/core/software-update/tmp/latest

https://vapp-updates.vmware.com/vai-catalog/valm/vmw/8d167796-34d5-4899-be0a-6daade4005a3/6.7.0.3000...

2019-05-17T12:13:55.192 [3641]DEBUG:vmware.appliance.update.update_functions:Running /usr/lib/applmgmt/support/scripts/manifest-verification /storage/core/software-update/tmp/latest/man

ifest-latest.xml 256

2019-05-17T12:13:55.257 [3641]DEBUG:vmware.appliance.update.update_functions:runCommandAndCheckResult failed: LocalizableException({'id': 'com.vmware.appliance.update.manifest_verificat

ion_failed', 'args': [], 'default_message': 'Manifest verification failed'}, 'Verification Failure\n', '')

2019-05-17T12:13:55.258 [3641]ERROR:vmware.appliance.update.update_b2b:

Got exception while trying discover at URL https://vapp-updates.vmware.com/vai-catalog/valm/vmw/8d167796-34d5-4899-be0a-6daade4005a3/6.7.0.3000... LocalizableException({'id': 'com

.vmware.appliance.update.manifest_verification_failed', 'args': [], 'default_message': 'Manifest verification failed'}, 'Verification Failure\n', '') 'Traceback (most recent call last):

\n  File "/usr/lib/applmgmt/update/py/vmware/appliance/update/update_b2b.py", line 1207, in processURLUpdates\n    header = _discoverUpdateAtUrl(url,\'latest\')\n  File "/usr/lib/applmg

mt/update/py/vmware/appliance/update/update_b2b.py", line 1144, in _discoverUpdateAtUrl\n    versionFolder)\n  File "/usr/lib/applmgmt/update/py/vmware/appliance/update/update_b2b.py",

line 1001, in _discoverUpdateAt\n    xmlManifest = verifyManifest(tempFolder)\n  File "/usr/lib/applmgmt/update/py/vmware/appliance/update/update_b2b.py", line 163, in verifyManifest\n

   "Manifest verification failed")))\n  File "/usr/lib/applmgmt/update/py/vmware/appliance/update/update_functions.py", line 352, in runCommandAndCheckResult\n    raise exception\nvmwar

e.appliance.update.update_functions.LocalizableException: ({\'id\': \'com.vmware.appliance.update.manifest_verification_failed\', \'args\': [], \'default_message\': \'Manifest verificat

ion failed\'}, \'Verification Failure\\n\', \'\')\n'

The manifest sha256 hash however seems to be in place

cat /storage/core/software-update/tmp/latest/manifest-latest.xml.sha256

SHA256(manifest-latest.xml)= 629a5f480..b18

-----BEGIN CERTIFICATE-----

MIIDyzCCArOgAwIBAgIJAIR/y018RgMXMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNV

...

tAj6rdPq0c+/C+fct1cM

-----END CERTIFICATE-----

Is the hash a wrong one?

Reply
0 Kudos
1 Solution

Accepted Solutions
millaonline
Contributor
Contributor
Jump to solution

I was told by VMware support to manually set the update repository url in the vami web interface of the vcsa to the next version as workaround.

URL:

https://vapp-updates.vmware.com/vai-catalog/valm/vmw/8d167796-34d5-4899-be0a-6daade4005a3/6.7.0.3100...

Default URL was:

https://vapp-updates.vmware.com/vai-catalog/valm/vmw/8d167796-34d5-4899-be0a-6daade4005a3/6.7.0.3000...

After that i was able to upgrade the vcsa without problems.

After the upgrade i could switch back the seeting to the default repository. (Which in fact is the given url.)

I don´t know if this is officially supported or just a solution for my special case. Better open a case by yourself and ask them.

(My Case number was: 19207803305)

View solution in original post

3 Replies
Perttu
Enthusiast
Enthusiast
Jump to solution

It really seems to be the case that the sha256 hash is a wrong one.

/usr/bin/openssl dgst -sha256 -verify /opt/vmware/var/lib/vami/update/data/signature.key -signature manifest-latest.xml.bin manifest-latest.xml

Verification Failure

And this is the file list

/storage/core/software-update/tmp/latest ]# ls -l

total 156

-rw-r--r-- 1 root root 147677 May 14 06:13 manifest-latest.xml

-rw-r--r-- 1 root root    256 May 17 15:20 manifest-latest.xml.bin

-rw-r--r-- 1 root root   1917 May 14 06:18 manifest-latest.xml.sha256

Reply
0 Kudos
millaonline
Contributor
Contributor
Jump to solution

I was told by VMware support to manually set the update repository url in the vami web interface of the vcsa to the next version as workaround.

URL:

https://vapp-updates.vmware.com/vai-catalog/valm/vmw/8d167796-34d5-4899-be0a-6daade4005a3/6.7.0.3100...

Default URL was:

https://vapp-updates.vmware.com/vai-catalog/valm/vmw/8d167796-34d5-4899-be0a-6daade4005a3/6.7.0.3000...

After that i was able to upgrade the vcsa without problems.

After the upgrade i could switch back the seeting to the default repository. (Which in fact is the given url.)

I don´t know if this is officially supported or just a solution for my special case. Better open a case by yourself and ask them.

(My Case number was: 19207803305)

NRay
Contributor
Contributor
Jump to solution

Could see the resolution for the error. Here is more detail in this article:

error in method invocation {'default_message': 'checksum verification failed', 'id': 'com.vmware.app...

Reply
0 Kudos