VMware Cloud Community
KKvss
Enthusiast
Enthusiast

vLCM - HPe HSM - Fetching of online depot URL failed

Hello Team VMware,

today, I want to try the new vLCM in combination with HPe iLO Amplifier to firmware patching my ESXi hosts.

I successfully installed the HPe iLO Amplifier appliance and let it communicate with the vCenter.

I also uploaded the 3 latest HPe SPP firmware into the appliance but I can´t use it in the vCenter.

When I press "Add" for the Online Software Depot I get the following error:

Fetching of online depot URL failed. Depot URL not found in the SPP details.

Is somebody aware about that or got the HPe iLO Amplifier with VUM to fly?

Fetching Error.JPG

vCenter 7: 16386335
ESXi 7: 16324942
Amplifier: 1.70

I really appreciate your help in advance.

Greetings

KKvss

49 Replies
KKvss
Enthusiast
Enthusiast

Got feedback from VMware Support - 21198885102:

This problem will be fixed with 7.0U2 coming March/April.

Error1.PNG

Reply
0 Kudos
stupots
Contributor
Contributor

It seems that HPE and VMware haven't stuck to a consensus of whether to use FQDN or IP when vCenter communicates with the ILO Amplifier appliance and so this causes certificate issues and the depot errors...

ILO Amplifier 1.80 came out a few days ago and adds the IP to the SAN of the CSR and the post above stating that VMware will fix the issue in March/April probably suggests that VMware will start using the FQDN to communicate with the Appliance rather than the IP. In summary, I believe the HPE and VMware are trying to both fix the same problem in their own way, so whatever you update first (to ILO Amplifier 1.80 or vCenter 7.01d) will fix a majority of the problems.

marcohald
Contributor
Contributor

I also had a ticket opened with VMware regarding the Proxy Support.

They said the next VCenter Update will fix this.

The excat Problem was, when a HTTP or HTTPS Proxy and exception is configured , the Lifecycle Manager will not use the Proxy Exceptions.

Even when the Proxy is disabled in the Config File it is still used by the Lifecycle Manager

@stupots  Do we talk about the same issue with the Proxy that will be fixed or do you have no proxy configured at all.

Reply
0 Kudos
KKvss
Enthusiast
Enthusiast

Thank you to pointing to version 1.8 is available, now 😀

1.8 is fixing the certificate issue and we don´t need to wait for VMware vCenter 7.0U2 😋

KKvss_0-1614759039430.png

 

Reply
0 Kudos
KKvss
Enthusiast
Enthusiast

For me it´s working and I never used a Proxy or disabled the proxy in the config file.

Just try 1.8 and put the certificate manual into the appliance:

true | openssl s_client -connect ip_of_amplifier:443 -showcerts >/tmp/iloamp-cert.crt
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /tmp/iloamp-cert.crt
cat /tmp/iloamp-cert.crt >> /usr/lib/python3.7/site-packages/certifi/cacert.pem
cat /tmp/iloamp-cert.crt >> /etc/pki/tls/certs/ca-bundle.crt
Reply
0 Kudos
Kurt_R
Contributor
Contributor

I had to re-register the vcsa (after the 1.8 update) through iloamplfier and then I was able to add it sucessfully.

Is there a list of required permissions for to register HSM to the vcsa? I'm currently using my admin account but would prefer to have a limited account for this.

Reply
0 Kudos
StueyMonster
Contributor
Contributor

Yes, I do have a proxy configured and ILO Amplifier in the no proxy list, but after test removing the proxy settings and retrying I was still getting the same depot error on sync, so assumed it was the cert.

Reply
0 Kudos
KKvss
Enthusiast
Enthusiast

To be honest... I was intensive working a complete day with the tool, now.

Amplifier itself is cool (using it since 1 year), integration in VCSA is horrible with a lot of errors / warnings with details and I believe I don´t use it in production 😪

Reply
0 Kudos
AlanMadsen
Contributor
Contributor

Hi,

Had the same issue with it, but this also resolved it:

 

 

true | openssl s_client -connect ip_of_amplifier:443 -showcerts >/tmp/iloamp-cert.crt
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /tmp/iloamp-cert.crt
cat /tmp/iloamp-cert.crt >> /usr/lib/python3.7/site-packages/certifi/cacert.pem
cat /tmp/iloamp-cert.crt >> /etc/pki/tls/certs/ca-bundle.crt

 

 

Our original goal was to integrate OneView (OV4VC 10.1), but couldn´t get it to work, however it was a similar issue (unable to register, download) so I took a snapshot of the vCenter and gave it a go, and now everything works perfect, guess its a Python thing? 

The error we received in the VC was: An error occurred while downloading depot metadata from https://"OV4VC_HostName":3512/static/vsphere-web-client/XXXXXX

 

This resolved it (same script, just included the OV4VC and OneView certs.)

 

true | openssl s_client -connect IP_OF_OneView:443 -showcerts >/tmp/oneview.crt
true | openssl s_client -connect IP_OF_Ov4VC:443 -showcerts >/tmp/ov4vc.crt


/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --chain --cert /tmp/oneview.crt
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --chain --cert /tmp/ov4vc.crt


cat /tmp/oneview.crt >> /usr/lib/python3.7/site-packages/certifi/cacert.pem
cat /tmp/oneview.crt >> /etc/pki/tls/certs/ca-bundle.crt

cat /tmp/ov4vc.crt >> /usr/lib/python3.7/site-packages/certifi/cacert.pem
cat /tmp/ov4vc.crt >> /etc/pki/tls/certs/ca-bundle.crt

 

 

 

vCenter  Version:7.0.1.00300, Build number: 17491101

OV4VC: Version: 10.1

Oneview: Version: 5.50.00-0426657

 

http://dk.linkedin.com/in/amadsen
Reply
0 Kudos
vjrk83
Enthusiast
Enthusiast

I followed the steps  you mentioned for cert, but I get these errors. Any idea ? 

Im running amplifier 1.8.0 and have uploaded VUP version - P35974_001_VUP11A-SPP-VUP11A.2020_0831.14.iso and all my hosts are Gen9 running vmware 7.0update1c. Let me know if you need more details. 

 

vjrk83_0-1617939066400.png

 

Reply
0 Kudos
AlanMadsen
Contributor
Contributor

Hmm I dont think it has anything to do with your certs´

Have you checked: http://vibsdepot.hpe.com/recipes/HPE-VMware-Recipe.pdf 

http://dk.linkedin.com/in/amadsen
Reply
0 Kudos
manfriday
Enthusiast
Enthusiast

I dont think ILO amp supports Gen 9s.

Pretty sure you need Gen10s

Reply
0 Kudos
stupots
Contributor
Contributor

ILO Amplifier supports Gen8, Gen9 and Gen10 servers.

Tags (1)
Reply
0 Kudos
manfriday
Enthusiast
Enthusiast

yeah, sorry I guess I mis-spoke. I meant the ILO amp plugin to vcenter doesnt support gen9s. (so you cant update gen9 firmware from vcenter)

I'd be thrilled to find out I was wrong about that too. 🙂 We still have some Gen9s hanging around.

Reply
0 Kudos
vjrk83
Enthusiast
Enthusiast

OK. When I look on the ILO amplifier  , I do see this error. But its installed , and unable to start on the server. 

SUT mode not Supported. SUT not running. Agentless Management Service (AMS) not installed/running.

 

BTW, im unable to find any details on ILO amplifier plugin to support Gen9's. 

vjrk83_1-1617990598277.png

 

 

Reply
0 Kudos
manfriday
Enthusiast
Enthusiast

SUT is installed on the Gen9s (assuming you used the HPE image), but it doesnt get started becuase it's not supported on the version of ILO the Gen9s use.

You are running into all the same issues I ran into before I broke down and contacted HPE support, who told me gen9 was NOT supported with HSM.

 

https://support.hpe.com/hpesc/public/docDisplay?docId=a00097866en_us

 

Page 14

 

Prerequisites:

"ProLiant and Apollo Gen10 or newer servers running ESXi version 7.0 or newer"

Reply
0 Kudos
vjrk83
Enthusiast
Enthusiast

ok, what is the best way to update the firmware for Gen9 servers ? Only the legacy way of mounting the ISO and updating HPSUM  ? 

 

Reply
0 Kudos
manfriday
Enthusiast
Enthusiast

pretty sure you can still update the firmware thru the ilo-amp web interface, just cant update them via vCenter, or utilize the new vLCM images to deploy the firmware updates.

Reply
0 Kudos
vjrk83
Enthusiast
Enthusiast

Do you know what is the ILO supported version to be upgraded to use the ilo-amp web interface for firmware upgrade for Gen9's via ILO amplifier  to fix the below error ?

 

SUT mode not Supported. SUT not running. Agentless Management Service (AMS) not installed/running.

 

 

Reply
0 Kudos
manfriday
Enthusiast
Enthusiast

My guess is you cannot, but you'd need to contact HPE support to know for sure. 

Reply
0 Kudos