Update: VMware has published a KB article related to this issue. It is available at http://kb.vmware.com/kb/2018897.
Several months ago, our VMware Update Manager simply stopped updating from its Shavlik repository. It seemed to only affect Windows patches being downloaded and the VMware patches continued without any issues. After a few months of troubleshooting with VMware support, a resolution was located and implemented in our environment and its a pretty simple solution.
Problem background
For a bit of background, the primary issue we noticed is that when trying to download updates from the repository, I received a generic error “Cannot download patch definitions” in the vCenter tasks. After looking into it, I found that if I unchecked the Windows patch option in the Patch Download Settings section of Update Manager’s configuration tab, the error would not appear. It was only when Windows patches were enabled that the error happened.
I uninstalled and reinstalled Update Manager against the same database and reinstalled a second time with a new database. Neither of these steps fixed the problem and so I opened a case with VMware support.
With support, I began digging into the log files for Update Manager and found more details in the files. We noticed the Update Manager would pull down a .cab file from the Shavlik servers. After the successful download, Update Manager immediately logged an error, “Error downloading new Windows updates: Cannot de-obfuscate Shavlik metadata file.” Although the error gives a little more detail, it still wasn’t enough to point to a concrete cause. It took VMware a couple of months, but finally, a simple solution was found.
The Solution
The issue is due to an untrusted certificate associated with the signed .cab file being downloaded. Since the file is digitally signed, the untrusted certificate was causing the issue. At some point earlier this year, the Shavlik Windows patches began using a new Verisign certificate that was not installed on my Windows Server 2008 server (not R2). To fix the problem, follow these steps:
- Using Firefox (a VMware recommendation), download the following cabinet file: https://xml.shavlik.com/data/pd5.cab
- Right click the pd5.cab file and go to Properties.
- Go to the Digital Signatures tab, click on the name of the signer, which should be Shavlik Technologies, and click the Details button.
- The Digital Signature Details window will appear. Click the View Certificate button.
- The Certificate window will appear. Go to the Certification Path tab. Go to the root Verisign certificate and make sure that the Certificate status says “This certificate is OK.”
- Click the certificate labeled “Verisign Class 3 Code Signing 2010 CA” and click View Certificate. Ensure that this certificate is valid and trusted. Click the Install Certificate button and the Certificate Import Wizard will appear.
- Click Next and choose the Place all certificates into the following store option. Click Browse and select the Trusted Root Certification Authorities store. Click Next and then click Finish.
At this point, the missing trusted CA certificate is installed and your download process should begin working again. In my environment, Update Manager is running under original Windows Server 2008 version and not under the 2008 R2 version. I suspect many people have vCenter and Update Manager running on Windows Server 2008 R2, which may not encounter this issue (I am not sure). VMware Support indicated that a KB article will be published for this issue. I will try to followup and link it once it is published.