This powershell script downloads the vmware vcenter supervisor items based on this KB. https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vcf-9-0-and-later/9-0/vsphere-supervisor-installation-and-configuration/updating-vsphere-supervisor/updating-the-vsphere-with-tanzu-environment/configuring-a-subscribed-content-library-for-supervisor-images-in-air-gapped-environment/create-a-remote-content-library-pulisher-in-a-local-environment.html
Create a Remote Content Library Publisher for vSphere Supervisor Releases in an Air-Gapped Environment
Learn how to create a subscribed content library for vSphere Supervisor release images by setting up a remote content publisher in your local network. The remote publisher setup introduces a staging host, which is a jump or intermediary system that has access to download release artifacts and then acts as a publisher for internal consumption. This way, you can set up a subscribed content library to update the vSphere Supervisor releases in an air-gapped environment where internet access is prohibited due to compliance and security policies.
From a machine with internet access, download the full release bundle including the lib.json
file from https://wp-content-pstg.broadcom.com/supervisor/v1/latest/
Host the release artifacts on a local Web server.
Copy the contents of the downloaded bundle to a directory served by a local HTTP server.
Ensure the lib.json
file is accessible through a stable internal HTTP URL, for example, http://<host-ip>/supervisor/lib.json
.
This script will skip files if it's already downloaded them.
When following any of the vcf 9 offline depot mention by some great folks. (William Lam, Here, Broadcom, Here, Vmware Blog, Here )
There is continue mentions of importing the self-signed certificate, and or your enterprise CA certificates into the different trusted key stores mentioned in this article. https://knowledge.broadcom.com/external/article?legacyId=77262
keytool -importcert -alias <aliasname> -file <certificate file> -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store
Run the below command to import the Proxy certificate into the java trust store
keytool -importcert -alias <aliasname> -file <certificate file> -keystore /etc/alternatives/jre/lib/security/cacerts --storepass changeit
These keystores are needed to be able to download the overall vcf binaries packages for upgrades, install, and patching images. This however does not fix the issues with syncing the esxi components and 3rd party partner vibs when utilizing this portion of the vcf-download-tool. VCF Download Tool Update Manager Download Service (UMDS) Commands
If you have these files downloaded and exported to your existing offline depot configured for the url https://<hostname/ipaddress>/umds-patch-store (SDDC Manager looks for umds-patch-store specifically in the vvsconfig.json)
example:
https://vcf-offlinedepot.lab.local:443/umds-patch-store/hostupdate/__hostupdate20-consolidated-index__.xml
I have an nginx conf that I can share to have all the proper redirects for PROD, etc and .htpasswd file to work with sddc manager. Just let me know.
When you try and sync the ESXi Components, you will most likely get a failed task on the operations center.
If you review the SDDC log
cat /var/log/vmware/vmware-updatemgr/umds/vmware-downloadService.log
You should see something similar in the following log.
2025-10-09T16:22:10.322Z info vmware-downloadService[959155] [Originator@6876 sub=ThreadPool] Entering worker thread loop
2025-10-09T16:22:10.322Z verbose vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 472] GetEasy() needs to allocate new CURL
2025-10-09T16:22:10.323Z verbose vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 695] Unset CURLOPT_PROXY
2025-10-09T16:22:10.323Z verbose vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 707] Unset CURLOPT_NOPROXY
2025-10-09T16:22:10.323Z verbose vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 759] Setup callback for SSL connections.
2025-10-09T16:22:10.325Z verbose vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 189] * Host vcf-offlinedepot.lab.local:443 was resolved.
2025-10-09T16:22:10.325Z verbose vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 189] * IPv6: (none)
2025-10-09T16:22:10.325Z verbose vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 189] * IPv4: 10.10.254.194
2025-10-09T16:22:10.325Z verbose vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 189] * Trying 10.10.254.194:443...
2025-10-09T16:22:10.368Z verbose vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 189] * CAfile: /etc/pki/tls/certs/ca-bundle.crt
2025-10-09T16:22:10.368Z verbose vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 189] * CApath: /etc/ssl/certs
2025-10-09T16:22:10.368Z verbose vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 189] * ALPN: curl offers http/1.1
2025-10-09T16:22:10.384Z verbose vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 189] * SSL certificate problem: self-signed certificate in certificate chain
2025-10-09T16:22:10.384Z verbose vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 189] * closing connection #0
2025-10-09T16:22:10.385Z error vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 782] curl_easy_perform() failed: cURL Error: SSL peer certificate or SSH remote key was not OK, SSL certificate problem: self-signed certificate in certificate chain
2025-10-09T16:22:10.388Z error vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 782] [backtrace begin] product: VMware vSphere Update Manager Download Service, version: 9.0.0, build: build-24695687, tag: vmware-downloadService, cpu: x86_64, os: linux, buildType: release
--> [backtrace end]
2025-10-09T16:22:10.388Z verbose vmware-downloadService[959145] [Originator@6876 sub=httpDownload] [httpDownloadPosix 756] Cleanup SSL context
2025-10-09T16:22:10.388Z error vmware-downloadService[959145] [Originator@6876 sub=DownloadMgr] [downloadMgr 709] Executing download job {139698576042880} throws error: curl_easy_perform() failed: cURL Error: SSL peer certificate or SSH remote key was not OK, SSL certificate problem: self-signed certificate in certificate chain
2025-10-09T16:22:10.388Z error vmware-downloadService[959154] [Originator@6876 sub=Default] [updateDownloaderImpl 116] File download error: curl_easy_perform() failed: cURL Error: SSL peer certificate or SSH remote key was not OK, SSL certificate problem: self-signed certificate in certificate chain
The fix is to upload the self-signed / trusted enterprised CA certificate chain to /etc/ssl/certs
from there run /usr/bin/rehash_ca_certificates.sh
and it will update the ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt