Apply Changes fails with error:

Error: Unknown CPI error 'Unknown' with message 'The URL https://VCENTERIP/sdk/vimService does not have a valid SSL certificate. You may use the manifest property 'vcenter.connection_options.ca_cert' in the global CPI config to set a trusted CA CERTIFICATE, PEM-encoded.

The error might be misleading as it points to an issue with the vCenter SSL certificate. However, unless the ca_cert for vCenter is specified, it should skip SSL verification by default. Therefore, many times the SSL error is not related to that certificate.

There could be many reasons why an SSL error occurred. Here are two things you should check:

1. Confirm that the Bosh Director CPU and Memory are scaled properly. Prior to vsphere-cpi version 59, which is included in OpsMan 2.10.12, Bosh was loading NSX-T management and policy API clients into memory and constructing its objects even if NSX-T was not configured. This could sometimes lead to memory and CPU spikes which may result in SSL errors. 

2. If NSX-T is configured in the Bosh Director tile, ensure that all the NSX-T certs, including the NSX Manager PI cert, are up to date. If the certs are correct, it might be worth confirming that the values for your certs in the following two endpoints match:

https://opsmgr_fqdn/debug/files#staged_cpi_configs https://opsmgr_fqdn/debug/files#staged_installation

If neither of these suggestions helped, please open a case with VMware Tanzu support.