I went to re-deploy some vDP appliances today and noticed a newer version was made available a few months ago (vSphere Data Protection 6.1.5). After downloading the vSphereDataProtection-6.1.5.ova file, I went to deploy it to my vSphere cluster and it failed due to an invalid certificate and a message reading “The OVF package is signed with an invalid certificate”.
I went ahead and downloaded the certificate to see what was wrong with it. While the publisher was valid, the certificate was only valid from September 5th, 2016 to September 7th, 2017, and today was October 27th, 2017. It looks like the guys at VMware should have generated a new cert before releasing it.
To resolve this, you need to repackage the OVA file and skip the certificate using the VMware Open Virtualization Format Tool (ovftool) available at https://code.vmware.com/tool/ovf/4.1.0
Once you download and install this, the executable can be found in your Program Files\VMware\VMware OVF Tool folder.
Open a command prompt and change to the above directory and run the following:
ovftool.exe --skipManifestCheck c:\folder\vSphereDataProtection-6.1.5.ova c:\folder\vdpgood.ova
This command will repackage and remove the certificate from the OVA and save it as the new file named vdpgood.ova above. Afterwards deploy it to your vSphere environment and all should be working!
Worked great, thanks for the tip!
I wrote too soon. The ovftool.exe example creates a nice VDP ova without the manifest. But, when I try to Deploy OVF Template with vCenter 6.5, I get an error message “Unable to retrieve manifest or certificate.” Do you know of a work-around so vCenter will deploy without a manifest in the vdpgood.ova file?
Hi Kevin,
Did you use the command exactly as I wrote it in the blog post? It’s not skipping the manifest, but it’s skipping the manifest check.
Command:
ovftool.exe –skipManifestCheck in.ova out.ova
Cheers
Stephen, thanks for taking the time to respond. Yes, I typed the command exactly. I think the error message from vCenter 6.5 comes because the certificate is no longer in the OVA. Looking inside the new OVA file, I see the manifest is still contained with the SHA1 hashes.
Hi Kevin,
Are you running the latest version of vSphere (and ESXi)? I remember there being a bug inside of the flash UI on vCenter. I’m wondering if this is causing your issue?
Seriously, that command should fix the deployment. I’ve used this in 2 instances without issues. But with that being said, I did have OVA deployment issues (unrelated to the vDP ova file), due to the vSphere version I was running. I can’t remember, but I think I had to only update to the latest version (I was only one set of updates behind).
Stephen
Hi Kevin,
One other thing too: I’m not sure if you doing this from an SMB network share, but download the file OVF directly to your computer, run the ovftool command (with the skip manifest check) on your system with the output file set on your computer as well (local storage).
I recall a few times with earlier vDP versions, where that error may have popped up if I was trying to deploy an OVA or OVF from a network share (even though I was uploading it via the web interface from my computer), instead of the local system.
Cheers
Very thanks! I resolved this issue with your method!
great write-up, it saved me time. Thanks!
there is an missing – in the command use ovftool.exe –skipManifestCheck in.ova out.ova
Thanks for pointing that out Tony! The WordPress code was removing the dash. Changed the post to use a different method.
It’s now corrected. Thanks again!
actually this resulted in a checksum error for me. I suspect me changing the file disrupted the checksum, but why would that matter once it’s downloaded?
Hi Tony,
There’s a few things that may be causing this. Try using a different browser to connect to your vSphere environment and re-upload the OVA file.
Report back and let me know if that worked.
Stephen
unfortunately there aren’t a lot of options for browsers in my company. and I chrome doesn’t not support the flash version, so I’m using IE 11.
I believe this was caused by changing something in the ovf file and then not redoing the checksum and putting that into the mf file.
I have used a Linux system to extract the OVA, tossed the cert file, modified something (anything in the ovf file, like a title of a element tag or something, the run a redo of the checksum, copy and pasted that checksum into the mf file and repackaged it all (minus the cert) into a new ova file. This has not worked either..
looking back, would it be better to just use the – – disableVerification parameter instead of the skipmanifest?
There’s a bug I came across when checksums are invalid when using IE. I used Chrome (you have to add the site as an exception for the Chrome flash plugin to load).
Did you modify anything inside of the vDP template? It should work as long as you didn’t modify the contents.
I’ve done this on this specific file over 5 times and it’s worked each time. Keep in mind I don’t modify the contents, I just run the command.
The first time, I had an issue uploading the OVA, but that was due to the vSphere version I was running, and the fact I was using IE. If this is your problem, you’ll either need to use a different browser, try using the HTML5 UI (with the same broswer), or update your vCenter server.
Ok, for all future readers that stumble across this fix – after adding the exception for flash into chrome and running the original command in Stephen’s post with the added ‘-‘ it worked.
Chrome, Flash Web Client, VDP OVA 6.1.5 with the command above = success
This was my whole day, thanks for that vmware….
Stephen, you sir are a Scholar and a Gentlemen for posting something, and actually backing it up by staying on top of replies to your readers. thank you (non-sarcastically)
Glad to hear it worked, and it’s my pleasure.
Thanks again for pointing out that the dash disappeared as well, it’s all about community effort in our industry!
Cheers!
Excelente, Muchas Gracias!!!