Hi,
VAMI gives this user friendly error:
Error in method invocation ({'id': 'com.vmware.appliance.update.manifest_verification_failed', 'args': [], 'default_message': 'Manifest verification failed'}, 'Verification Failure\n', '')
And while searching through applmgmt logs from the shell, these following lines appear to be related to this error
019-05-17T12:13:54.960 [3641]DEBUG:vmware.appliance.update.update_functions:Running /usr/bin/wget --no-check-certificate --connect-timeout 10 -P /storage/core/software-update/tmp/lates
2019-05-17T12:13:55.70 [3641]DEBUG:vmware.appliance.update.update_functions:WGET: https://vapp-updates.vmware.com/vai-catalog/valm/vmw/8d167796-34d5-4899-be0a-6daade4005a3/6.7.0.3000...
atest/manifest/manifest-latest.xml.sha256
2019-05-17T12:13:55.71 [3641]DEBUG:vmware.appliance.update.update_functions:Error reading fss override file [Errno 2] No such file or directory: '/etc/vmware/vsphereFeatures/b2b_fss_ove
rride.json'
2019-05-17T12:13:55.71 [3641]DEBUG:vmware.appliance.update.update_functions:Returning override switch updateAllowUnsecureUrl = None
2019-05-17T12:13:55.75 [3641]DEBUG:vmware.appliance.networking.proxy.proxy_impl:method=get, protocol=https
2019-05-17T12:13:55.76 [3641]DEBUG:vmware.appliance.update.update_functions:Policy not set.
2019-05-17T12:13:55.77 [3641]DEBUG:vmware.appliance.update.update_functions:Running /usr/bin/wget --no-check-certificate --connect-timeout 10 -P /storage/core/software-update/tmp/latest
2019-05-17T12:13:55.192 [3641]DEBUG:vmware.appliance.update.update_functions:Running /usr/lib/applmgmt/support/scripts/manifest-verification /storage/core/software-update/tmp/latest/man
ifest-latest.xml 256
2019-05-17T12:13:55.257 [3641]DEBUG:vmware.appliance.update.update_functions:runCommandAndCheckResult failed: LocalizableException({'id': 'com.vmware.appliance.update.manifest_verificat
ion_failed', 'args': [], 'default_message': 'Manifest verification failed'}, 'Verification Failure\n', '')
2019-05-17T12:13:55.258 [3641]ERROR:vmware.appliance.update.update_b2b:
Got exception while trying discover at URL https://vapp-updates.vmware.com/vai-catalog/valm/vmw/8d167796-34d5-4899-be0a-6daade4005a3/6.7.0.3000... LocalizableException({'id': 'com
.vmware.appliance.update.manifest_verification_failed', 'args': [], 'default_message': 'Manifest verification failed'}, 'Verification Failure\n', '') 'Traceback (most recent call last):
\n File "/usr/lib/applmgmt/update/py/vmware/appliance/update/update_b2b.py", line 1207, in processURLUpdates\n header = _discoverUpdateAtUrl(url,\'latest\')\n File "/usr/lib/applmg
mt/update/py/vmware/appliance/update/update_b2b.py", line 1144, in _discoverUpdateAtUrl\n versionFolder)\n File "/usr/lib/applmgmt/update/py/vmware/appliance/update/update_b2b.py",
line 1001, in _discoverUpdateAt\n xmlManifest = verifyManifest(tempFolder)\n File "/usr/lib/applmgmt/update/py/vmware/appliance/update/update_b2b.py", line 163, in verifyManifest\n
"Manifest verification failed")))\n File "/usr/lib/applmgmt/update/py/vmware/appliance/update/update_functions.py", line 352, in runCommandAndCheckResult\n raise exception\nvmwar
e.appliance.update.update_functions.LocalizableException: ({\'id\': \'com.vmware.appliance.update.manifest_verification_failed\', \'args\': [], \'default_message\': \'Manifest verificat
ion failed\'}, \'Verification Failure\\n\', \'\')\n'
The manifest sha256 hash however seems to be in place
cat /storage/core/software-update/tmp/latest/manifest-latest.xml.sha256
SHA256(manifest-latest.xml)= 629a5f480..b18
-----BEGIN CERTIFICATE-----
MIIDyzCCArOgAwIBAgIJAIR/y018RgMXMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNV
...
tAj6rdPq0c+/C+fct1cM
-----END CERTIFICATE-----
Is the hash a wrong one?
I was told by VMware support to manually set the update repository url in the vami web interface of the vcsa to the next version as workaround.
URL:
Default URL was:
After that i was able to upgrade the vcsa without problems.
After the upgrade i could switch back the seeting to the default repository. (Which in fact is the given url.)
I don´t know if this is officially supported or just a solution for my special case. Better open a case by yourself and ask them.
(My Case number was: 19207803305)
It really seems to be the case that the sha256 hash is a wrong one.
/usr/bin/openssl dgst -sha256 -verify /opt/vmware/var/lib/vami/update/data/signature.key -signature manifest-latest.xml.bin manifest-latest.xml
Verification Failure
And this is the file list
/storage/core/software-update/tmp/latest ]# ls -l
total 156
-rw-r--r-- 1 root root 147677 May 14 06:13 manifest-latest.xml
-rw-r--r-- 1 root root 256 May 17 15:20 manifest-latest.xml.bin
-rw-r--r-- 1 root root 1917 May 14 06:18 manifest-latest.xml.sha256
I was told by VMware support to manually set the update repository url in the vami web interface of the vcsa to the next version as workaround.
URL:
Default URL was:
After that i was able to upgrade the vcsa without problems.
After the upgrade i could switch back the seeting to the default repository. (Which in fact is the given url.)
I don´t know if this is officially supported or just a solution for my special case. Better open a case by yourself and ask them.
(My Case number was: 19207803305)
Could see the resolution for the error. Here is more detail in this article: