VMware certificate issues!

Here and there I post some interesting technical detail I run across, but this one will be pretty esoteric for most.

I currently manage several VMware Infrastructure 3i clusters (ESXi 3.5). I don't upgrade on a regular basis, because, well, these systems just run. They're not highly exposed (they're behind a firewall) and none of the host ports are exposed to the public internet. That said, an upgrade to VMware 4.1 is forthcoming!

As a result, I didn't become aware that VMware has a certificate on their systems against which patches are checked - and that this certificate was expiring in June 2011.

Using the VMware Infrastructure Update tool, I tried to update the ESXi systems I have at my DR site (in preparation to update those in production), and while one updated without trouble, the second failed, with "Signature check failed." in the esxupdate log (in /var/log/vmware/, if you're logged into the console on the host.)

Because this is an ESXi system, I didn't have the (relatively) easy RPM-based update mechanism that the ESX systems have, and all of what I could find from VMware indicated the same thing - that I needed to get the most recent version of ESXi 3.5 on an ISO, boot from that and perform the upgrade that way.

That seemed like way too much work, in particular because these machines are 1975 miles away from me.

The contents of the particular ESXi offline patch file I needed (ESXe350-201105401-O-SG, downloadable here includes three components - firmware, VMware Tools, and the Virtual Infrastructure Client.

The patch file is in a Zip format, though ESXi has no "unzip" tool, so I opened that archive and pulled out the three zip files it contained. The one that matters is the one with the firmware (in this case, ESXe350-201105401-I-SG.zip).

I extracted the folder contained within it (ESXe350-201105401-I-SG) to the desktop on my Windows workstation. I then uploaded the folder to a datastore reachable from the host.

At this point I verified that no VMs were running on the host, and I switched it to maintenance mode.

Not knowing what all I would need to execute in this directory, I got on the console (I enabled SSH a while ago), and navigated through the filesystem into the ESXe350-201105401-I-SG folder (in my case, it was in a folder off the root of a datastore called "DR-Test", so /vmfs/volumes/DR-Test/update/ESXe350-201105401-I-SG). The important script therein is "install.sh", and as it was not set executable (it was -rw-------), I performed a "chmod 755 -R ESXe350-201105401-I-SG", so the script could run.

I then ran the script (typing "./install.sh"). The script ran a quick filesystem check, then indicated progress with percentages (0%, 14%, 28%, ...). Once it was finished, I went back to the VMware Infrastructure Client and rebooted the host.

In a few minutes, I was up and running the new version ("vmware -v" showed "VMware ESX Server 3i 3.5.0 build-391406.

Let me know if this helps you!

Thanks to VMwareWolf for the good info.