Hey everyone, I was working on a project recently with a vSphere environment that wasn’t permitted access to the internet, so when it came time to upgrade the hosts and perform patching/baseline remediations, we needed to bring our own files.

Upon trying to upload a patch or ISO to the vSphere Update Manager, the upload would fail immediately with a red banner and an exclaimation mark, but without an error message. A quick bit of searching allowed me to stumble upon the following KB article: https://kb.vmware.com/s/article/79588 which indicated that the vSphere Update Manager certificate was absent from the trusted roots keystore on the vCenter Server. This wasn’t exactly true but it did provide me with some useful pointers to resolve the issue.

Diving into the logs at /var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log I could see the error messages that were the same as the KB article, but in this scenario the vCenter server was using a certificate signed by the customer’s internal certificate authority, and the root certificate was installed on the vCenter Server Appliance. However, in this scenario the infrastructure also had an intermediate certificate authority, and whilst the root certificate authority had been imported, the intermediate certificate authority had not. Upon importing the public certificate for the intermediate certificate authority to the trusted roots store, the issue was resolved and files could be uploaded.