Hi there!
I've been having this issue with a fresh installation of Update Manager 4.1 u2 (4.1.0.8977) since the beginning, and frankly, I'm quite stuck. I have configured it to access the default update sources through our corporate proxy. Host patch definitions and even Linux guest patch definitions seem to download correctly and appear listed in the Patch Repository tab. However, Windows patches always fail to download. I looked into vmware-vum-server-log4cpp.log and found this. The lines in bold are what caught my attention:
[2012-01-25 13:54:37:912 'VciSigUpdateTask.SigUpdateTask{5}' 2720 INFO] [vciSigUpdateTask, 1090] Downloading Windows patches from :https://xml.shavlik.com/data
[2012-01-25 13:54:37:912 'VciSigUpdateTask.SigUpdateTask{5}' 2720 INFO] [vciSigUpdateTask, 921] Downloading Shavlik metadata for Windows VMs
[2012-01-25 13:54:37:928 'VciSigUpdateTask.SigUpdateTask{5}' 2720 DEBUG] [vciSigUpdateTask, 1595] First time download for 2
[2012-01-25 13:54:37:928 'patchStore' 2720 ERROR] [patchStore, 392] Metadata file asked for doesn't exist:
[2012-01-25 13:54:37:928 'VciSigUpdateTask.SigUpdateTask{5}' 2720 WARN] [vciSigUpdateTask, 182] Unable to get reference to previously downloaded metadata: Metadata file asked for doesn't exist:
[2012-01-25 13:54:37:928 'httpDownload' 2720 INFO] [httpDownload, 571] Downloading https://xml.shavlik.com/data/hfnetchk6b.cab via proxy proxy.corporate.domain:80
[2012-01-25 13:54:38:178 'httpDownload' 2720 INFO] [httpDownload, 791] Status code: 200
[2012-01-25 13:54:56:022 'httpDownload' 2720 INFO] [httpDownload, 571] Downloading https://xml.shavlik.com/data/pd5.cab via proxy proxy.corporate.domain:80
[2012-01-25 13:54:56:506 'httpDownload' 2720 INFO] [httpDownload, 791] Status code: 200
[2012-01-25 13:54:58:022 'JobDispatcher' 1940 DEBUG] [JobDispatcher, 391] The number of tasks: 1
[2012-01-25 13:55:08:006 'InternalScheduledTasksMgr' 2144 INFO] [internalScheduledTasksMgr, 196] Internal Scheduled Tasks Manager Timer callback...
[2012-01-25 13:55:08:006 'InternalScheduledTasksMgr' 2144 INFO] [internalScheduledTasksMgr, 678] InvokeCallbacks. Total number of callbacks: 7
[2012-01-25 13:55:08:006 'InternalScheduledTasksMgr' 2144 INFO] [internalScheduledTasksMgr, 305] Internal Scheduled Tasks Manager Timer callback end of this timer slice.....Rescheduling after 300000000 microseconds
[2012-01-25 13:55:08:006 'InternalScheduledTasksMgr' 2144 INFO] [internalScheduledTasksMgr, 745] Patch store disk free space is: 160919785472
[2012-01-25 13:55:08:006 'InternalScheduledTasksMgr' 2144 INFO] [internalScheduledTasksMgr, 787] Temp directory disk free space is: 4868001792
[2012-01-25 13:55:08:006 'HealthServiceMgr' 2144 INFO] [healthServiceMgr, 316] VMware Remote Device Server is green
[2012-01-25 13:55:08:006 'HealthServiceMgr' 2144 INFO] [healthServiceMgr, 316] VMware Update Manager Web Server is green
[2012-01-25 13:55:22:584 'VciSigUpdateTask.SigUpdateTask{5}' 2720 INFO] [vciSigUpdateTask, 952] New metadata is available...
[2012-01-25 13:55:22:631 'shavlikMetadata' 2720 ERROR] [shavlikMetadata, 781] Cannot de-obfuscate Shavlik metadata file: Unspecified error ErrorInfo 003D0158 Error -2147467259 Wcode 0 Description Could not extract file ()from CAB file at 'C:\WINDOWS\TEMP\vcipezegixh.tmp\hfnetchk6b.cab'
[2012-01-25 13:55:22:631 'shavlikMetadata' 2720 ERROR] [shavlikMetadata, 786] Cannot de-obfuscate Shavlik metadata file: Unspecified error
[2012-01-25 13:55:22:631 'VciSigUpdateTask.SigUpdateTask{5}' 2720 ERROR] [vciSigUpdateTask, 1038] Error downloading new Windows updates: Cannot de-obfuscate Shavlik metadata file: Unspecified error
As you see, It seems that it can download the .cab files containing the Windows patch definitions (it gets an HTTP 200), but cannot somewhat process those .cab files. I cheched directory permissions on C:\WINDOWS\TEMP and seem to be OK to me.
So my question is: Has anybody gone through something similar to this? Any Ideas would be appreciated.
Thanks in advance!
Hello,
I have been getting the same "Cannot De-obfuscate Shavlik Metadata Error" as well on my Update Manager. This error started about the same time as you posted on here (01/15/2012. My Linux and host updates are runing fine. The main issue I am having is with Windows Patches. I opened a trouble ticket with the VMWare esclation teams after I tried to resolve it in many ways. I understand that VMWare is going away from supporting Windows patching on the 5.0 version, but we are not there yet. I am stuck. I will keep you updates when I hear anything about this.
Best Regards,
Saquan
Hi Saquan!
Thanks for answering, So I know I'm not the only one having this issue. Right now, I gave up on solving the issue on my own as well, as I don't know what else to try. I'm going through my contacts asking for a similar experience. Whenever a find someting I'll post it here so we all know about it.
Thanks again and good luck!
Martin
Hi Saquan / Everyone
Anyone manage to get this problem resolved?
I'm on VUM 4.1 Update 1 and having the same issues. Reinstalled etc etc, still not working ...
Hi Everyone. I think I have a solution for you. I worked with VMware Support on the same issue and we finally found a root cause -- a missing Trusted CA Certificate. Are you using Windows Server 2008 (and not 2008 R2) by chance? I am on original Win Server 2008 and have a theory (unproven so far) that this doesn't affect Server 2008 R2.
Here were my steps to resolve the issue. I just posted a blog article about this an my experience. Please comment (on the blog or here) and let me know if this resolves your issues...
Cheers,
Philip
My Steps to Solve
Hi Phillip,
I am running the VUM on the vCenter server; OS = Win2K3R2-64bit.
I have carried out the steps suggested, but the problem still persists.
Attached is an excerpt from the vmware-vum-server-logXcpp.log
I have replaced my proxy IP in the logs, don't be alarmed.
Thanks & Regards
Have you tried downloading the CAB file it is unable to extract manually and examining it? In particular, look at the digital signature on the CAB file and see how it is signed. When I download it, its signed by a Shavlik certificate issued from VeriSign Class 3 Code Signing 2010 CA.
From your logs looks like it successfully downloads https://xml.shavlik.com/data/hfnetchk6b.cab and that this file is the one it cannot successfully extract. The logs look very similiar to my logs and my problem.
Also, try going into the Certificates MMC and make sure the VeriSign Class 3 Code Signing 2010 CA is in the Trusted Root Certification Authorities list.
Hope this helps,
Philip
Hi Philip,
Yes I was able to download the CAB & manually extact the content. There was only a single xml file.
The cert is already "trusted", refer to the pic.
Btw, I was unable to view the xml file using IE. Usually, it should be able to load with the tags etc.
Hi Philip,
The solution you proposed worked for me on Windows Server 2003R2 x64. I just installed the CA certificate and run a package definitions download. It worked flawlessly.
Thank you very much!
Very glad that it worked for you. I have also found that I had to enable the same certificates for any Guest OSes I was patching. I created a group policy to enable this trusted root cert on my domain.
I am still having some difficulties with off-domain systems, even when I manually add the certificate. If I find a solution there, I'll report it back here also.
I continued to have some problems patching off-domain systems after these original posts. I have finally got a proven solution for the final few guest instances that I could not patch - it was Microsoft's April 2012 Root Certificate Update missing on the guest's that were having problems. Once installed, they have patched without any issues.
Worked with support and also found a pertient KB article in the VMware KB (http://kb.vmware.com/kb/2018897). I did the two things it suggested - I updated vCenter Server 4.1 Update 3 and installed the April 2012 Root Certificate Update. The tricky part was finding an installer for Win 2003 and 2008 Server -- I finally located these updates at http://catalog.update.microsoft.com. Once I installed the certificate update, I was able to successfully scan and remediate these off-domain systems.
Try delete the 32bit obdc connection and recreate it. it worked for me. I saw an odbc error in the log, and just delete and re-create.