VMware Cloud Community
ExpletiveDelete
Enthusiast
Enthusiast
‎04-19-2017 04:57 AM

vCenter 6u3b upgrade - file not digitally signed

When attempting to install the vCenter 6u3b upgrade, error produced:

A file that is required cannot be installed because the cabinet file <path>\vmware-jmemtool.msi is not digitally signed. This may indicate that the cabinet file is corrupt.

The issue being that I've downloaded this .ISO 3 times. Each time, the SHA256 hash matches (checked via powershell). I have not checked MD5 or SHA1 hashes.

I am using all self-signed certs, on W2k12-r2 with SQL server back-end on a separate system.

Comments? Ideas? Baklava?

14 Replies
JimKnopf99
Commander
Commander
‎04-19-2017 05:04 AM

Hi,

did you look at the msi paket in detail and check the certificate trust? Maybe there is a missing root certificate on your server system.

Right click the msi paket and check the digital signature tab.

Frank

If you find this information useful, please award points for "correct" or "helpful".
0 Kudos
ExpletiveDelete
Enthusiast
Enthusiast
‎04-19-2017 05:50 AM

Apparently that's the issue. Its states "one of the countersignatures is not valid. The file may have been altered".

so now I'm lost. Since the SHA256 hash matches, that means the file cert had an issue BEFORE vmware GA'd it? But i haven't seen anyone else with the problem.

Thanks...

0 Kudos
JimKnopf99
Commander
Commander
‎04-19-2017 06:05 AM

No, you are not lost 😉

Install the missing root certificate into your local certificate store and you will be fine.

Frank

If you find this information useful, please award points for "correct" or "helpful".
0 Kudos
JimKnopf99
Commander
Commander
‎04-20-2017 02:12 AM

Please mark question as answered.

Thanks

Frank

If you find this information useful, please award points for "correct" or "helpful".
0 Kudos
Ukusic
Enthusiast
Enthusiast
‎04-24-2017 06:17 AM

We have the exact same problem as you, did you get it to work?

JimKnopf99
Commander
Commander
‎04-24-2017 07:00 AM

did you try to install the missing certificate?

Frank

If you find this information useful, please award points for "correct" or "helpful".
0 Kudos
vmtechnician
Contributor
Contributor
‎04-24-2017 09:48 AM

I am also getting the error. I have attempted to install the certificate, but perhaps I've not installed the correct certificate or in the correct store.

I'm still getting the error even after installing the certificate in Local Computer Account - Trusted Root Certificate Authority.

The countersignatures certificate:

Starfield Services Root Certificate Authority - G1 "Windows does not have enough information to verify this certificate" and the certificate status is "The issuer of this certificate could not be found."

0 Kudos
JimKnopf99
Commander
Commander
‎04-25-2017 01:33 AM

Did you try to install the whole certificate chain? Not only the certificate itself?

Root, sub certificate. trusted root certification authorities

Frank

If you find this information useful, please award points for "correct" or "helpful".
0 Kudos
vmtechnician
Contributor
Contributor
‎04-25-2017 06:43 AM

This worked for me.

Workaround:

  • Disable the OS setting (which is required by DoD security) "Turn off Automatic Root Certificate Update". By disabling this your computer will contact the Windows Update website to see if Microsoft has added the CA to its list of trusted authorities.

NOTE: This change should be done by the customer and under his own risk, nevertheless, if you would like to check if the setting is enabled you can go to Local Computer Policy/Administrative Templates/System/Internet Communication Management/Internet Communication Settings

I disabled the local computer policy (mmc gpedit.msc) detailed above. The certificate was confirmed to be valid. I then re-enabled the local computer policy.

Using an administrator powershell console, I ran the vcenter installer and it no longer gave the certificate error.

0 Kudos
IBMMart
Contributor
Contributor
‎04-27-2017 03:58 PM

I'm having this same issue as well.  I've found most of the certificates online but cannot find the GlobalSign Timestamping CA - G2 root certificate.  I've got a case open with VMware to attempt to get this particular certificate for install.

0 Kudos
SR2010
Contributor
Contributor
‎04-29-2017 02:39 AM

The exact certificate is identified as "Starfield Services Root Certificate Authority"...note, there is no "G1" or "G2".  We had to open a case with VMware and they sent the proper certificate.

IBMMart
Contributor
Contributor
‎05-01-2017 06:31 AM

The case has been answered and closed.  If you are receiving unknown counter signature error during install and the associated certificate was signed by GlobalSign Timestamping CA - G2 root certificate then you can use the below link to download the GlobalSign Root R2 certificate for install (install into the local Computers Trusted Certificate Authorities container).

GlobalSign Root Certificates

0 Kudos
ZigMan00
Contributor
Contributor
‎06-29-2017 02:13 PM

How do I get that same certificate? "Starfield Services Root Certificate Authority" not G1 and not G2.

CertError.png

I'm needing the Starfield Certficate Chain - G1

0 Kudos
rgiegeri
Contributor
Contributor
‎08-11-2017 11:54 AM

I had the same issue, and downloaded the "Starfield Services Root Certificate" from https://certs.secureserver.net/repository

0 Kudos