We are rolling out vSphere 7.0, and in our testing we were getting errors with Lifecycle Manager. Any attempts to synchronize updates fail with “A general system error occurred”. Not a lot of love in the vmware-vum-server.log file. We are using a proxy server for updates, but our other non-7.0 vCenter servers all work without issue. So what gives?

If you’ve configured a proxy server with Lifecycle Manager then you know they changed the location from Update Manager to the VAMI. I’m not sure why it was done like this, as having it accessible from within vCenter made it much more centralized. Anyway, I validate that the proxy server settings are configured identical to my 6.7 vCenter server instances. But the updates… they continue to elude me!

I perform some basic troubleshooting against the proxy server. Connectivity tests were all good, and there were no access denied messages. I ran a curl from the vCenter to one of the Lifecycle Manager depots, which fails with a “curl: (35) error”. I tested the same command but with http, and it worked! Okay, so narrowing it down to something with https. But what? VMware support time!

root@vcsa01 [ ~ ]# curl -v https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
* Uses proxy env variable no_proxy == 'localhost, 127.0.0.1'
* Uses proxy env variable https_proxy == 'https://192.168.10.102:3128/'
   Trying 192.168.10.102...
* TCP_NODELAY set
* Connected to 192.168.10.102 (192.168.10.102) port 3128 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Closing connection 0
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

We continue to focus our efforts on the proxy server settings within vCenter. I noticed that the proxy configuration file was not updating changes immediately, so I overrode it with the https_proxy environmental variable. This allowed me to test with different proxies to rule out the proxy server without having to reboot the vCenter server.

export https_proxy=192.168.10.102:3128

Another change with the proxy server settings for Lifecycle Manager from Update Manager is you are required to enter the protocol prefix for the server address. This cannot be omitted when configuring the proxy via the VAMI. However, the command line has no such constraints. I configured the proxy configuration with just the proxy server name and https works! Reboot, and it fails again.

When I output the environmental variables for the proxy, the omitted prefixes were automatically added back. Sure enough, the config file confirms that my entries were prefixed with http://, and https://, respectively. We get another engineer on the line, who states that this is a known bug with vCenter 7.0.

The workaround is to manually set the https proxy with http:// as the prefix. This needs to be set via the /etc/sysconfig/proxy file, as it cannot be configured through the VAMI. In order to have this take effect the vCenter needs to be rebooted. However, after making the change you can set the https_proxy environmental variable to start synchronizing immediately.