Fix – vSphere Update Manager fails to download patches
This is a quick article to document a fix to an issue I came across the other day with vSphere Update Manager (VUM) failing to download patches.
Error Description
Recently I installed a new instance of vSphere Update Manager. Once I had configured the appropriate settings (including proxy details), I tried to kick off a download to get all of the latest patches from VMware.
This is where I stumbled into an issue. Downloading the patches failed. I checked the vSphere Update Manager logs and found the following error:
Error 12175 from WinHttpSendRequest for url https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
vSphere Update Manager Logs?
First step in troubleshooting is to check the logs right? If you don’t know where your Update Manager Logs are stored, then have a look at VMware KB 2038036.
Why is this happening?
After some researching (i.e. googling), I found out that this is a result of vSphere Update Manager not being able to trust or verify the SSL certificate of the URL it is downloading the patches from.
This seems a little weird to me as the download source is from VMware itself! In saying that, I guess it does check the SSL certs before downloading as you can add custom download sources which might not be secure. So I guess this check is valid and a good idea, even though by default it blocks downloading updates.
In any case, this is how you fix it…
Solution
To solve the problem of vSphere Update Manager failing to download patches, complete the following steps:
- Log into the vSphere Update Manager (VUM) server as an administrator
- Launch Registry Editor (Start >> Run >> regedit)
- Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Update Manager - Change the
SslVerifyDownloadCertificateregistry key value from a1to a0 - Restart the VMware vSphere Update Manager service
Warning: Making this change could potentially be seen as a security risk, as you are no longer going to be validating the SSL certificate prior to downloading. Not a big issue if you are going to be using the default VMware download sources, however it might be more of an issue if using custom download sources.
More Information
I didn’t re-invent the wheel or anything on the solution above. I got it directly from the VMware Knowledge Base. Only reason I even posted this is solution really is for additional visibility and maybe someone else is experiencing the same issue and may not be aware of the fix.
Anyway, if you are interested in more information, see VMware KB 2009000.
Also, just as an FYI, I have had this issue on both a vSphere 5.5 Update Manager install and a vSphere 6.0 Update Manager install. The solution documented above solved this for both environments.
Got any comments or questions? Let me know below…
Luca
Yes i had the same exact problem, but now that i am on VCSA, any idea how to change that ?
No: Just install the trusted root cert from digicert. The error you get specifies what URLs it does not trust. Use a trusted browser & go to that page & download the cert if both chrome & Firefox trust it. Reboot. Problem solved.