The greatest challenge to any thinker is stating the problem in a way that will allow a solution

Bertrand Russell

By

On 24 Aug 2011

Tech Notes, VMware

Tags: , ,


In June 2011 VMware updated the secure key used for VMware Update Manager.  In order to prepare for this they made an update available well in advance, which would allow updates to continue.

However, if you need to reinstall an ESX from scratch, and your install method uses an older build, your rebuilt machine may be unable to update.  This is especially a problem for legacy ESXi environments, where you may be rebuilding using an old USB key image, which you’d need to go through the effort of recreating.  Chances are you’ll comes across this problem with the following error from the VI Client when you try to scan for updates or remediate…

VMware Update Manager had a failure


Further investigation will show something similar to the anonymised output below in your /var/log/vmware/esxupdate.log…

[2011-08-23 16:33:06] Checking depot integrity at :http://192.168.40.100:80/vci/hostupdates/hostupdate/embeddedEsx/embeddedEsx-3.5.0
[2011-08-23 16:33:06] Checking signatures of metadata for depot :http://192.168.40.100:80/vci/hostupdates/hostupdate/embeddedEsx/embeddedEsx-3.5.0...
[2011-08-23 16:33:06] Checking signature of contents.xml...
[2011-08-23 16:33:06] Signature is invalid :Key expired
[2011-08-23 16:33:06] Signature checking failed on file :/tmp/esxupdate/esxupdate-24871-1314117176-ce9b48a2.tmp
[2011-08-23 16:33:06] Expected digest :139e0896271202b132430741d183fbb8f0472dba
[2011-08-23 16:33:06] Public key id :0BGA1C260F0B032CF5CD5D2ADE7D35B14789B916
[2011-08-23 16:33:06] Signature value :-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

sha1 gpg 139e0896271202b132430741d183fbb8f0472dba
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQCVAwUBTGzGJe55NbFHibYZAQJ4hAQAnEZpCerwZUpmuE8ZqZ1Bn+boJW0ntm5n
KKJdVcn5vUecByrmMuku3JXA99wDz48GnKORXWDbF6DDuzV4HBRLjmO23KN/45m6
zaYFdM0Rn6TWdr0xgMn3k2U51GxFAPrapJJzWFMjIf+KI1uA2JaBNvGCp3nswW/g
rliIbIekuOc=
=MsNm
-----END PGP SIGNATURE-----

[2011-08-23 16:33:06] ERROR: Signature check failed.
[2011-08-23 16:33:06] Failed to verify depot integrity.

To resolve you need to install the patch package that includes the key update, and to do this you need to circumvent secure signature checking.  The generic command you need is…

ESX esxupdate -d <URL to Patch Depot> -N -b ESX350-201012410-BG update
ESXi esxupdate -d <URL to Patch Depot> -N -b ESXe350-201012401-I-BG update

Your <URL to Patch Depot> can be found in the esxupdate.log from the ESX your updates are failing on, so using the above as an example…

esxupdate -d http://10.12.255.20:80/vci/hostupdates/hostupdate/embeddedEsx/embeddedEsx-3.5.0 -N -b ESXe350-201012401-I-BG update
reboot

 

Make sure your patch depot is up to date, otherwise the above may fail as your Update Manager won’t have the patch!

 

For further info see the following VMware KB’s

ESX http://kb.vmware.com/kb/1030001
ESXi http://kb.vmware.com/kb/1030002

Leave a Reply

XHTML: You can use these tags if you know what they are: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

ERROR: si-captcha.php plugin says GD image support not detected in PHP!

Contact your web host and ask them why GD image support is not enabled for PHP.

ERROR: si-captcha.php plugin says imagepng function not detected in PHP!

Contact your web host and ask them why imagepng function is not enabled for PHP.