"The OVF package is invalid and cannot be deployed" error when deploying the WAF OVA

12/20/2019 17 18415

DESCRIPTION:

NOTE: ESXi server versions before 6.5.0 do not support OVF/OVA files with a SHA256 hash.

VMware provides a tool to convert the OVA to SHA1 and allow installation on these older ESXi systems.

The failure is indicated with an error pop up: "The OVF package is invalid and cannot be deployed"

"The following manifest file entry (line 1) is invalid: SHA256(SonicWall_WAF_2_0.0.0-17waf.ova)=..."

CAUSE:

This OVA was released with a SHA256 hash.  This is the current standard practice for all applications.

NOTE: The 6.0.0 and 5.5.0 versions of ESXi do not support SHA256 and require the OVA to be hashed with SHA1.

RESOLUTION:

Convert the SHA256 OVA to a SHA1 hashed OVA.

VMware upgraded the default hash algorithm to SHA256 for OVA generation. The older vSphere/ESXi clients only support the SHA1 hash.

The conversion is documented in a KB article from VMware: https://kb.vmware.com/s/article/2151537.

To download OVF Tool, please visit:Open Virtualization Format Tool.When installed on a Windows machine the ovftool.exe is not added to the path so it needs to be executed in the directory where it is installed.

NOTE: The above link, to download ovftool.exe, is on a VMware company web page.  It may change. If the link becomes broken, navigate to  VMware site (https://www.vmware.com/)and search for ovftool to download .)

EXAMPLE:The process to convert an OVA to SHA1 for compatibility with the 6.0 and 5.5 vSphere or ESXi systems:

Open a CMD window (as administrator)

cd C:\Program Files\VMware\VMware OVF Tool
ovftool.exe --shaAlgorithm=SHA1 C:\Users\username\Downloads\SonicWall_WAF_2_0.0.0-17waf.ova C:\Users\username\Downloads\SonicWall_WAF_2_0.0.0-17waf-SHA1.ova