A couple of weeks ago I had upgraded my personal home computer to the latest MacOS Catalina (10.15) and one of the first issues I ran into was being able to access my vCenter Server. It turned out this was due to changes to MacOS security (which is a good thing) but certainly caught me and others off guard. In fact, I spent quite some time searching online and eventually found this workaround here.
After sharing this tidbit online (which several others also ran into) I came to learn that both Duncan Epping blogged about this issue back in Nov 2019 here and Christian Mohn blogged about this in Dec 2019 here. Sadly I did not come across either of their blogs using "NET::ERR_CERT_REVOKED macos catalina" in Google. I had assumed this was a Chrome issue and simply landed on the first few links and looking back, I now see Duncan's blog was #6 in the search results (doh!)
Today, I ran into another issue when attempting to use the VCSA CLI Installer, the following error was thrown:
“vcsa-deploy.bin” cannot be opened because the developer cannot be verified
This is again due to a security change in MacOS Catalina which now prevents terminal-based applications which are not notarized from running. For a single application/binary, you can go into System Preferences->Security & Privacy and allow anyway. For more complex applications like the VCSA CLI Installer which has a number of libraries and scripts, this will take awhile and end up frustrating end users. The updated security enhancement is actually a good thing and I did not want to disable the Gatekeeper service but I was interested in disabling it for the VCSA CLI Installer. While searching online, I came across this Hashicorp Terraform thread where folks were having the exact same issue and I found out there was a way to disable the MacOS Security Gatekeeper for a specific application.
To do so, we just need to recursively remove the metadata attribute "com.apple.quarantine" for the extracted VCSA ISO by running the following command:
sudo xattr -r -d com.apple.quarantine VMware-VCSA-all-6.7.0-Update-15132721
After the quarantine attribute has been removed, you can now run the VCSA CLI Installer (including UI Installer) without being prompted with an error. Hopefully VMware will consider notarizing future releases of the VCSA Installer and I will be sharing this feedback internally if it has not already.
Andrew Moser says
Another way around the Catalina SSL issue is to import the certs into your keychain. In Chrome if you view the certificate by clicking the "Not Secure" section to the left of the URL, you can then just drag the cert to your desktop, then open it by double clicking, which will open Keychain. Once in Keychain, you can set it to always trust. Saves a few steps for things that use Identity Manager as you only have to do it once instead of for each solution.
Joe Adams (@vJoeAdams) says
Thanks William! This works for the vRA 8.1 deployment as well. Thanks for posting this!
Matthew Heinrich says
Thanks William. I'm trying to deploy VSCA 7.0 from a Mac and running into similar issues. I tried to adapt the quarantine command for the VCSA 7.0 installer but it still fails... Any ideas?
Patrick Ramsey says
Try un-mounting the ISO, then running the remove attribute command on the ISO file including the extension. Then re mounting the ISO, then running the installer
Tim Sheppard says
Thank you - that stopped me going round in circles.
Joao Moradei says
Hello! Thanks for the great tip!
I have something else I didn't search properly how to fix yet, I thought someone could have a quick fix for that.
When starting my VMs it asks for my admin password for every NIC the VMs have. Is there a way to run my VMs on a "trusted" mode? Without having to authorize them every time?
Thanks!
Mark Koepsell says
Hi has anyone run into similar issues when trying to install vcsa ui installer? I get ovftool cannot be opened, libcrypto.1.0.2.dylib, libvmacore.dylib cannot be opened as well even after allowing it from settings. I tried running the command line that William shared. Didn't work and tried with my current version and build number and no luck either.
Currently trying to run VMware-VCSA-all-7.0.1-16860138 and connect it to my server (mac mini). I'm new and learning to setup a home lab. 🙂 Thanks!
Toine Eetgerink says
Thx Saved me, Needed to extract the ISO and then i could fix it with the above command point to the extracted directory
Mac keeps on being annoying
cloudmakerbrian says
over 1 year and no change the the VRA8.3 installer - same behavior. I'm sorry that they didn't hear your feedback and I'm sorry that MacOS is still a second class citizen with respect to Vmware installers. Thanks for your blog william , we appreciate your help.