For lab purposes, when configuring a VCF 9.0 Offline Depot, you can streamline the infrastructure setup by configuring the VCF Installer to use HTTP instead of HTTPS, which is the default configuration from the VCF Installer.
Alternatively, if you decide to use the system default which will expect the VCF Offline Depot to be served over HTTPS, you might be using a self-signed TLS certificate. If you attempt to connect to your offline depot with the VCF Installer, you probably will hit the following error as the TLS certificate is not trusted by the VCF Installer, which is expected.
In VCF 5.x, the workaround was to import your TLS certificate chain into SDDC Manager's certificate store which would then allow the trust to be established.
The exact same solution is required for the VCF Installer, but the path to the certificate store has changed.
Step 1 - Copy the TLS certificate chain from your VCF Offline Depot to the VCF Installer appliance. In my example, I have placed it in /root/fullchain.pem
Step 2 - Run the following command to import your certificate into the VCF Installer certificate store (replace the -file and -alias with your own values) and trust the certificate:
keytool -import -trustcacerts -file /root/fullchain.pem -keystore /usr/lib/jvm/openjdk-java17-headless.x86_64/lib/security/cacerts -alias depot.vcf.lab
Note: You will be prompted for a password which will be changeit
Step 3 - We now need to restart the VCF Installer services for the change to go into effect:
echo 'y' | /opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager_restart_services.sh
Step 4 - Finally, we can now connect to the VCF Offline Depot over HTTPS and we will no longer see the error message!
Once enhancement I would love to see in the future for both the VCF Installer and SDDC Manager is what has already been implemented in VCF Operations Fleet Manager, which allows users to easily trust a self-sign TLS certificate during the connection workflow without having to jump through multiple hoops, something I definitely will be sharing with our PM team.
Could you attempt "VCF Download Tool Update Manager Download Service (UMDS) Commands" portion of the download tool as well?
It took me some trial an error to get the sddc managers to sync with the offline depot. Might be good to have as a reference.
Definitely appreciate your blog posts!
Have you tested syncing the ESXI components with the offline depot and SDDC Manager? Theres another certificate store that gets used when running the esxi component sync to an offline depot.
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: /etc/ssl/certs
./vcf-download-tool umds run vmware-umds -D
SDDC and Fleet appliance are connected to an offline depot and download the patches, upgrades and install binaries just fine. But trying to sync .vibs the task fails due to the mentioned cert store not having either the self-signed or enterprise trusted CA's imported to this cert store as well.
Currently got a support case open to verify proper steps for this since these certs are managed by a different cert utility.
Can toy share SR number?
Looks like Step 7 is what you need to apply https://williamlam.com/2024/05/creating-an-offline-vmware-cloud-foundation-vcf-depot-for-multiple-vcf-environments.html