Re: "Certificate error occurred for the update ser...

arig · ‎03-03-2013

I've performed a clean install of VMWare Fusion 5.0.2 on a new machine running OS X 10.8.2. Every time I attempt to create a new VM (I've tried Ubuntu 12.04 & 12.10) and the tools download process starts I get the error "Certificate error occurred for the update server."

I've also noticed that doing a simple "Check for updates..." produces the same error msg.

Is anyone else seeing this? Any ideas on how to resolve?

Thanks

WoodyZ · ‎03-03-2013

Any ideas on how to resolve?

Download and install the Full Package not the Light Package!

Example: VMware-Fusion-5.0.2-900491.dmg not VMware-Fusion-5.0.2-900491-light.dmg

arig · ‎03-03-2013

Thanks for the quick reply WoodyZ...

I did a complete manual uninstall of the light version and then installed VMware-Fusion-5.0.2-900491. The Ubuntu guest install now works - it appears that the tools are included in the full pkg so there is no need to download but I'm still seeing the cert error when I select "Check for Updates..." Not sure if this is a known issue?

WoodyZ · ‎03-03-2013

but I'm still seeing the cert error when I select "Check for Updates..." Not sure if this is a known issue?

At the present time there are no updates for VMware Fusion beyond 5.0.2 so stop checking!

arig · ‎03-03-2013

I know...your right. Just stuff like that bugs me. Anyway thanks again for the help.

asaf0000 · ‎03-03-2013

Hey,

I just hit this error too,

The download options say:

VMware-Fusion-5.0.2-900491.dmg

Download including VMware Fusion and a 12 month complimentary subscription to McAfee VirusScan Plus Recommended)

VMware-Fusion-5.0.2-900491-light.dmg

Download including only VMware Fusion software

I don't want any McAfee subscription, this would make my env dirty with things I don't want,

In fact it's ashame that VMWare pushes more apps from other companies into their packages like 1 person company that gets some extra bucks from bundling some browser Toolbar extension into his installer.

So, I want to stick with the light version and I want the 'VMWare tools' installation to work,

And yes, I expect the updates to be working, and if there's nothing newer, I'd expect to get a nice message that gently notifies that I have the latest version instead of ugly error.

In fact, I super disappointed from Fusion compared to Parallels but this will go to another thread.

Thanks.

dariusd · ‎03-03-2013

It looks like the SSL certificate on the update server was renewed yesterday and replaced with a certificate which is only valid starting yesterday:

Issued To
Common Name (CN) *.vmware.com
Organization (O) VMware
Organizational Unit (OU) IT Operations
[...]

Validity

Issued on 03/02/2013
Expires on 03/02/2014

If your system's clock is running behind (or if we deployed the new certificate too early!), there will be a transitory period in which certificate validation will fail because your machine thinks the certificate shouldn't be valid yet. I don't know how time zones work for certificate validation, but maybe if your time zone is set incorrectly it could fail too (even if your clock shows the right time!). So perhaps check your host's timezone, date and time.

Cheers,

--

Darius

dariusd · ‎03-03-2013

Hi asaf0000,

The "full" download includes the McAfee software, but it does not automatically install it anywhere. If you don't explicitly choose to install it, it won't end up in your host or in any of your VMs (and there is no explicit consent hidden in the fine print!). If I remember correctly, there's a menu item for "Install McAfee VirusScan" which you have to choose if you want to install it into your VM... without doing that, it doesn't install or run anywhere.

If you choose the "full" download, it'll behave exactly the same as the "light" download, except it doesn't need to separately download the VMware Tools packages or the McAfee VirusScan package should you choose to install them into a VM.

I commented elsewhere in this thread that the update server issue appears related to a recent renewal of the SSL certificate. Check that your host's date, time and timezone are set correctly. If there is a timezone issue, there's a good chance that the update server will automatically start working again tomorrow.

Cheers,

--

Darius

asaf0000 · ‎03-03-2013

Thanks for answering,

I'm using NTP and I'm GMT +2 (Israel),

$ date

Sun Mar 3 23:25:04 IST 2013

This date is after the certification issued date so i'm not sure,

I'll wait for tomorrow, if it won't get solved then it's another issue.

Thanks.

dariusd · ‎03-03-2013

Hmmm... I'm now seeing this error here myself. Looks like something went wrong with the certificate update... I'll investigate and see if I can get it fixed.

Cheers,

--

Darius

JulienClubic · ‎03-04-2013

Hey there,

I see this error message too. This is brand new. Sounds like a glitch on VMWare side ?

Thanks.

SmileyOg · ‎03-04-2013

I am getting the same message.

In my case it was noticed after the distro update of sles11.2 to sles11.3.

Is there any nmew of a fix?

Regards

Liam

WoodyZ · ‎03-04-2013

I guess neither one of you (JulienClubic and SmileyOg) saw this VMware employees response in this same thread!

Mar 3, 2013 6:53 PM in response to: asaf0000

Re: "Certificate error occurred for the update server." msg when doing a VMWare Tools Download or Ch...

That was last night on a Sunday and it's still very earlier now Monday morning in CA so I doubt its been looked at, so give it at the least a few more hours!

avanish321 · ‎03-04-2013

Any changes done to SSL usually takes 24 hours to propagate as far as I understand. Hence Users who are using 5.0.2 , 4.1.4 may simply ignore the error message and wait for further update unless you intend to install vmware tools for linux guest os.

Effected users may try out the workaround provided in the same thread.

Message was edited by: avanish321 Oops, this is not intended to woodyz. apologize

Cheers! Avanish

Jwiedow · ‎03-04-2013

It looks like the new Certificate was issued by a CA that is not trusted by the VMware Workstation default CA package. A quick Wireshark trace identified that the Certificate handshake was coming back as an 'Unknown CA'.

Opening up the VMware Update site (https://softwareupdate.vmware.com/cds) shows the new certificate issued on 3/2/2013 was provided by Baltimore CyberTrust Root and Cybertrust Public SureServer SV CA. If you open the trusted certificates (Mozilla-Root-Certs.crt) from the VMware Workstation Installation directory in a text editor and search for Baltimore it will come up with no results.

You are able to add the two certificates you need by following the instructions below.

Open a browser and navigate to the https://softwareupdate.vmware.com website.
Click on the Certificate icon to view the certificates for the site.
Click on the Certification Path tab to view the full Certificate chain.
Click on the root certificate Baltimore CyberTrust Root and click the View Certificate button.
Click on the Details tab and then the Copy to File button.
Export the certificate in Base-64 encoded x.509 format to your VMware Workstation installation directory asCyberRoot.cer.
Repeat the above steps (4-6) for the Cybertrust Public SureServer SV CA certificate saving the file out asCyberInter.cer.

You are now ready to add the certificates into the trusted CA store (Mozilla-Root-Certs.crt).

Open a command prompt (or shell prompt if running on Linux) as Administrator or root.
Start by making a backup of the original Mozilla-Root-Certs.crt file. Use the method of your choice. (copy mozilla-root-certs.crt mozilla-root-certs.crt.orig)
Add in the Baltimore CyberTrust Root certificate using openssl. Openssl should be installed in the root of your VMware Workstation directory.
1. openssl x509 -text -in CyberRoot.cer >> Mozilla-Root-Certs.crt
Add in the Cybertrust Public SureServer SV CA certificate using the same command as above.
1. openssl x509 -text -in CyberInter.cer >> Mozilla-Root-Certs.crt

You can verify that the certificates have been added successfully by opening up the Mozilla-root-certs.crt file in a text editor and search for Baltimore. The search should return 6 results.

You are now able to run updates within VMware Workstation successfully.

I have not tried although the attached file and the same instructions above should work for a VMware Player installation and VMware Fusion installation as well.

As always, it is better to wait for the final solution from VMware in fixing their certificates.

dariusd · ‎03-04-2013

Thanks for the investigation, Jwiedow, and for posting an interesting workaround. :smileycool:

We hope to have the underlying problem remedied at the server end "real soon now", so as much as I think Jwiedow's contribution is very cool, I'd advise users to not tamper with the certificate store unless you have a fairly good idea what you're doing and an urgent need to work around the problem.

And hearty Internet paranoia says you should be skeptical of anyone providing a file containing a trusted CA store through a medium that does not provide authentication of its contents. *shifty glance in direction of Jwiedow* :smileysilly:

Cheers,

--

Darius

avanish321 · ‎03-04-2013

It appers that the issue is fixed. I am not getting the error anymore while checking for updates in workstation.

can anyone check with fusion?

the SSL certificate shows that its now verified by akamai.

Message was edited by: avanish321

Cheers! Avanish

Jwiedow · ‎03-04-2013

Touche!

dariusd · ‎03-04-2013

I am sure it broke some fundamental law of the universe when I said "real soon now" and it happened... real soon! :smileysilly:

Thanks everyone for your patience and help getting this resolved!

Cheers,

--

Darius

DallasJeff · ‎03-04-2013

SO, is this another bug the VMWare refuses to fix ? Are they going out of business or selling off/shutting down certain products. Many processes are broken and many bugs are going wihout any bug fixes. It is so frustrating that VMWare refuses to fix anything and support their software releases.

All

"Certificate error occurred for the update server." msg when doing a VMWare Tools Download or Check for updates