Re: Update Manager 4.1 u2: won't download Windows ...

mgcarmueja · ‎01-27-2012

Hi there!

I've been having this issue with a fresh installation of Update Manager 4.1 u2 (4.1.0.8977) since the beginning, and frankly, I'm quite stuck. I have configured it to access the default update sources through our corporate proxy. Host patch definitions and even Linux guest patch definitions seem to download correctly and appear listed in the Patch Repository tab. However, Windows patches always fail to download. I looked into vmware-vum-server-log4cpp.log and found this. The lines in bold are what caught my attention:

[2012-01-25 13:54:37:912 'VciSigUpdateTask.SigUpdateTask{5}' 2720 INFO] [vciSigUpdateTask, 1090] Downloading Windows patches from :https://xml.shavlik.com/data
[2012-01-25 13:54:37:912 'VciSigUpdateTask.SigUpdateTask{5}' 2720 INFO] [vciSigUpdateTask, 921] Downloading Shavlik metadata for Windows VMs
[2012-01-25 13:54:37:928 'VciSigUpdateTask.SigUpdateTask{5}' 2720 DEBUG] [vciSigUpdateTask, 1595] First time download for 2
[2012-01-25 13:54:37:928 'patchStore' 2720 ERROR] [patchStore, 392] Metadata file asked for doesn't exist:
[2012-01-25 13:54:37:928 'VciSigUpdateTask.SigUpdateTask{5}' 2720 WARN] [vciSigUpdateTask, 182] Unable to get reference to previously downloaded metadata: Metadata file asked for doesn't exist:
[2012-01-25 13:54:37:928 'httpDownload' 2720 INFO] [httpDownload, 571] Downloading https://xml.shavlik.com/data/hfnetchk6b.cab via proxy proxy.corporate.domain:80
[2012-01-25 13:54:38:178 'httpDownload' 2720 INFO] [httpDownload, 791] Status code: 200
[2012-01-25 13:54:56:022 'httpDownload' 2720 INFO] [httpDownload, 571] Downloading https://xml.shavlik.com/data/pd5.cab via proxy proxy.corporate.domain:80
[2012-01-25 13:54:56:506 'httpDownload' 2720 INFO] [httpDownload, 791] Status code: 200
[2012-01-25 13:54:58:022 'JobDispatcher' 1940 DEBUG] [JobDispatcher, 391] The number of tasks: 1
[2012-01-25 13:55:08:006 'InternalScheduledTasksMgr' 2144 INFO] [internalScheduledTasksMgr, 196] Internal Scheduled Tasks Manager Timer callback...
[2012-01-25 13:55:08:006 'InternalScheduledTasksMgr' 2144 INFO] [internalScheduledTasksMgr, 678] InvokeCallbacks. Total number of callbacks: 7
[2012-01-25 13:55:08:006 'InternalScheduledTasksMgr' 2144 INFO] [internalScheduledTasksMgr, 305] Internal Scheduled Tasks Manager Timer callback end of this timer slice.....Rescheduling after 300000000 microseconds
[2012-01-25 13:55:08:006 'InternalScheduledTasksMgr' 2144 INFO] [internalScheduledTasksMgr, 745] Patch store disk free space is: 160919785472
[2012-01-25 13:55:08:006 'InternalScheduledTasksMgr' 2144 INFO] [internalScheduledTasksMgr, 787] Temp directory disk free space is: 4868001792
[2012-01-25 13:55:08:006 'HealthServiceMgr' 2144 INFO] [healthServiceMgr, 316] VMware Remote Device Server is green
[2012-01-25 13:55:08:006 'HealthServiceMgr' 2144 INFO] [healthServiceMgr, 316] VMware Update Manager Web Server is green
[2012-01-25 13:55:22:584 'VciSigUpdateTask.SigUpdateTask{5}' 2720 INFO] [vciSigUpdateTask, 952] New metadata is available...

[2012-01-25 13:55:22:631 'shavlikMetadata' 2720 ERROR] [shavlikMetadata, 781] Cannot de-obfuscate Shavlik metadata file: Unspecified error ErrorInfo 003D0158 Error -2147467259 Wcode 0 Description Could not extract file ()from CAB file at 'C:\WINDOWS\TEMP\vcipezegixh.tmp\hfnetchk6b.cab'

[2012-01-25 13:55:22:631 'shavlikMetadata' 2720 ERROR] [shavlikMetadata, 786] Cannot de-obfuscate Shavlik metadata file: Unspecified error

[2012-01-25 13:55:22:631 'VciSigUpdateTask.SigUpdateTask{5}' 2720 ERROR] [vciSigUpdateTask, 1038] Error downloading new Windows updates: Cannot de-obfuscate Shavlik metadata file: Unspecified error

As you see, It seems that it can download the .cab files containing the Windows patch definitions (it gets an HTTP 200), but cannot somewhat process those .cab files. I cheched directory permissions on C:\WINDOWS\TEMP and seem to be OK to me.

So my question is: Has anybody gone through something similar to this? Any Ideas would be appreciated.

Thanks in advance!

Saquan01 · ‎01-31-2012

Hello,

I have been getting the same "Cannot De-obfuscate Shavlik Metadata Error" as well on my Update Manager. This error started about the same time as you posted on here (01/15/2012. My Linux and host updates are runing fine. The main issue I am having is with Windows Patches. I opened a trouble ticket with the VMWare esclation teams after I tried to resolve it in many ways. I understand that VMWare is going away from supporting Windows patching on the 5.0 version, but we are not there yet. I am stuck. I will keep you updates when I hear anything about this.

Best Regards,

Saquan

mgcarmueja · ‎02-01-2012

Hi Saquan!

Thanks for answering, So I know I'm not the only one having this issue. Right now, I gave up on solving the issue on my own as well, as I don't know what else to try. I'm going through my contacts asking for a similar experience. Whenever a find someting I'll post it here so we all know about it.

Thanks again and good luck!

Martin

mbx369 · ‎04-26-2012

Hi Saquan / Everyone

Anyone manage to get this problem resolved?

I'm on VUM 4.1 Update 1 and having the same issues. Reinstalled etc etc, still not working ...

Please awards points if this was useful. :) ~~~~~ To Live Is To Die ~~~~~ VCP3/4/5

psellers · ‎07-05-2012

Hi Everyone. I think I have a solution for you. I worked with VMware Support on the same issue and we finally found a root cause -- a missing Trusted CA Certificate. Are you using Windows Server 2008 (and not 2008 R2) by chance? I am on original Win Server 2008 and have a theory (unproven so far) that this doesn't affect Server 2008 R2.

Here were my steps to resolve the issue. I just posted a blog article about this an my experience. Please comment (on the blog or here) and let me know if this resolves your issues...

Cheers,

Philip

My Steps to Solve

Using Firefox (a VMware recommendation), download the following cabinet file: https://xml.shavlik.com/data/pd5.cab
Right click the pd5.cab file and go to Properties.
Go to the Digital Signatures tab, click on the name of the signer, which should be Shavlik Technologies, and click the Details button.
The Digital Signature Details window will appear. Click the View Certificate button.
The Certificate window will appear. Go to the Certification Path tab. Go to the root Verisign certificate and make sure that the Certificate status says "This certificate is OK."
Click the certificate labeled "Verisign Class 3 Code Signing 2010 CA" and click View Certificate. Ensure that this certificate is valid and trusted. Click the Install Certificate button and the Certificate Import Wizard will appear.
Click Next and choose the Place all certificates into the following store option. Click Browse and select the Trusted Root Certification Authorities store. Click Next and then click Finish.

mbx369 · ‎07-05-2012

Hi Phillip,

I am running the VUM on the vCenter server; OS = Win2K3R2-64bit.

I have carried out the steps suggested, but the problem still persists.

Attached is an excerpt from the vmware-vum-server-logXcpp.log

I have replaced my proxy IP in the logs, don't be alarmed.

Thanks & Regards

Please awards points if this was useful. :) ~~~~~ To Live Is To Die ~~~~~ VCP3/4/5

psellers · ‎07-06-2012

Have you tried downloading the CAB file it is unable to extract manually and examining it? In particular, look at the digital signature on the CAB file and see how it is signed. When I download it, its signed by a Shavlik certificate issued from VeriSign Class 3 Code Signing 2010 CA.

From your logs looks like it successfully downloads https://xml.shavlik.com/data/hfnetchk6b.cab and that this file is the one it cannot successfully extract. The logs look very similiar to my logs and my problem.

Also, try going into the Certificates MMC and make sure the VeriSign Class 3 Code Signing 2010 CA is in the Trusted Root Certification Authorities list.

Hope this helps,

Philip

mbx369 · ‎07-08-2012

Hi Philip,

Yes I was able to download the CAB & manually extact the content. There was only a single xml file.

The cert is already "trusted", refer to the pic.

Btw, I was unable to view the xml file using IE. Usually, it should be able to load with the tags etc.

Please awards points if this was useful. :) ~~~~~ To Live Is To Die ~~~~~ VCP3/4/5

mgcarmueja · ‎07-30-2012

Hi Philip,

The solution you proposed worked for me on Windows Server 2003R2 x64. I just installed the CA certificate and run a package definitions download. It worked flawlessly.

Thank you very much!

psellers · ‎07-30-2012

Very glad that it worked for you. I have also found that I had to enable the same certificates for any Guest OSes I was patching. I created a group policy to enable this trusted root cert on my domain.

I am still having some difficulties with off-domain systems, even when I manually add the certificate. If I find a solution there, I'll report it back here also.

psellers · ‎10-09-2012

I continued to have some problems patching off-domain systems after these original posts. I have finally got a proven solution for the final few guest instances that I could not patch - it was Microsoft's April 2012 Root Certificate Update missing on the guest's that were having problems. Once installed, they have patched without any issues.

Worked with support and also found a pertient KB article in the VMware KB (http://kb.vmware.com/kb/2018897). I did the two things it suggested - I updated vCenter Server 4.1 Update 3 and installed the April 2012 Root Certificate Update. The tricky part was finding an installer for Win 2003 and 2008 Server -- I finally located these updates at http://catalog.update.microsoft.com. Once I installed the certificate update, I was able to successfully scan and remediate these off-domain systems.

ayang · ‎10-24-2012

Try delete the 32bit obdc connection and recreate it. it worked for me. I saw an odbc error in the log, and just delete and re-create.

All

Update Manager 4.1 u2: won't download Windows patches