VMware UMDS: Internet Proxies and HTTPS Inspection

Since update manager is part of the vCenter Server appliance (VCSA), from a security perspective I don’t like the idea of providing the vCenter Server with internet access and here is where the beautiful UMDS (Update Manager Download Service) comes to play (a virtual machine that is in the DMZ with internet access and not joined to the domain).

The setup was fine and straight forward without any issues, and internet access was allowed to the VMware repository website via the internet proxy.

When we started to download the patches and updates I noticed that the VA files were only being downloaded and the rest were not, when listing the repository resources (using the -G option) I noticed that the VA repository was HTTP and the rest of the repositories were HTTPS.

I knew that HTTPS inspection was enabled and I had some concerns around it (noticed it when I tried to browse for the respository via an internet browser), going back to the logs:

[2018-02-06 09:47:40:197 ‘httpDownload’ 3004 WARN]  [httpDownload, 423] Download https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml failed: Error 12002 from WinHttpSendRequest for url https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

[2018-02-06 09:47:40:212 ‘httpDownload’ 3004 ERROR]  [httpDownload, 438] Reached retry download limit

[2018-02-06 09:47:40:215 ‘DownloadMgr’ 3004 ERROR]  [downloadMgr, 627] Executing download job {50170224} throws error: Reached retry download limit

[2018-02-06 09:47:40:220 ‘DownloadMgr’ 3004 INFO]  [downloadMgr, 713] Download failed but destination file C:\Users\ADMINI~1\AppData\Local\Temp\1\vcibvnllkxg.tmp exists and is valid. Ignoring error

[2018-02-06 09:47:40:229 ‘DownloadMgr’ 3004 INFO]  [downloadMgr, 575] Download job {50170224} finished, bytes downloaded = 0

[2018-02-06 09:47:40:232 ‘DownloadMgr’ 3580 DEBUG]  [downloadMgr, 466] Download job {50170224} finished

[2018-02-06 09:47:40:232 ‘DownloadMgr’ 3580 DEBUG]  [downloadMgr, 479] Removing download job {50170224} in queue

[2018-02-06 09:47:40:232 ‘DownloadMgr’ 3580 DEBUG]  [downloadMgr, 498] Current download count: 0

The security team was against disabling HTTPS inspection and to be honest I was not in favor of doing it as well, so I tried something simply stupid. From a thought process I put myself instead of the UMDS download service and thought that if I am reaching the certificate not trusted window and I don’t know how to click continue :-P then I will not be able to reach to the end website which is the repository URL.

Long story short, I added the CA root certificate to the trusted root certificates on the UMDS virtual machine and EURIKA =) retried the download and it worked like a charm.

I hope this helps,
(Abdullah)^2

1584 Total Views 1 Views Today

Abdullah

Knowledge is limitless.

5 Responses

  1. Cesar Marquez says:

    Which ports you needed to have opened from the UMDS vm towards the internet?

  2. DiMarco says:

    Hi, I am having sort of the same issue with the certs, could you explain in detail about how you solved it? i’m getting…
    ERROR – Executing download job {57875888} throws error: curl_easy_perform() failed: cURL Error: Failure when receiving data from the peer, Recv failure: Connection reset by peer
    INFO – Download failed but destination file /tmp/vciLg79MS exists and is valid. Ignoring error
    INFO – Download job {57875888} finished, bytes downloaded = 0
    ERROR – curl_easy_perform() failed: cURL Error: Peer certificate cannot be authenticated with given CA certificates, SSL certificate problem: unable to get local issuer certificate
    ERROR – Executing download job {139828498815376} throws error: curl_easy_perform() failed: cURL Error: Peer certificate cannot be authenticated with given CA certificates, SSL certificate problem: unable to get local issuer certificate
    INFO – Download failed but destination file /tmp/vci4VsFLZ exists and is valid. Ignoring error
    INFO – Download job {139828498815376} finished, bytes downloaded = 0

    • Abdullah says:

      Hello, it seems with you have a proxy serving your internet connection. Browse a website (any website) and when you get the certificate just install it as a Trusted Root Certificate and you’ll be good to go.

  3. Cesar Marquez says:

    I am getting the same and at the end
    **********************************************
    Downloaded 0 updates, 0 VA upgrade files, download size: 0 MB.
    **********************************************

Leave a Reply

Your email address will not be published. Required fields are marked *