• This issue is present only for vCenter version 8.0.2
• vCenter calls to NSX or another server are getting rejected with error HTTP response status code: 503 'Service Unavailable'.
• The target server is running without problems.

Pre check to identify if the problem is present:

On the target vCenter, run the following  diagnostic commands, where <SERVER_IP> is either the IP of the NSX host, or in general the server to which vCenter is trying to connect.

Command 1 should fail with handshake failure:
echo Q |openssl s_client -connect <SERVER_IP>:443 -tls1_2 -cipher ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA -curves prime256v1:secp384r1:secp521r1

Command 2 should succeed:
echo Q |openssl s_client -connect <SERVER_IP>:443 -tls1_2 -cipher ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA -curves prime256v1:secp384r1:secp521r1

VMware vCenter Server 8.0.2
VMware vCenter Server 8.0.x

Note: Ensure there is valid backup/offline snapshot of the VCSA prior to implementing the workaround. Refer to VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice 

Enable DSA ciphers for vCenter via internal TLS profiles. WARNING: Do not alter this file in any other way, without explicit instructions from Broadcom.

1. Manually make a backup of the TLS settings file tls_settings.yaml

cp /etc/applmgmt/appliance/tls_settings.yaml ~/tls_settings.yaml.bak

2. Edit /etc/applmgmt/appliance/tls_settings.yaml COMPATIBLE and COMPATIBLE-NON-FIPS profiles like so (full file printed out):

tls_profiles:
   - name: COMPATIBLE
     documentation: Current TLS configuration as derived from bora/lib/ssl
     fips_enforced: true
     groups:
       - prime256v1
       - secp384r1
       - secp521r1
     tls_protocols:
       - version: tlsv1_2
         ciphers:
           - ECDHE-RSA-AES256-GCM-SHA384
           - ECDHE-RSA-AES128-GCM-SHA256
           - ECDHE-ECDSA-AES256-GCM-SHA384
           - ECDHE-ECDSA-AES128-GCM-SHA256
           - AES256-GCM-SHA384
           - AES128-GCM-SHA256
           - ECDHE-RSA-AES256-SHA
           - ECDHE-RSA-AES128-SHA
           - ECDHE-ECDSA-AES256-SHA
           - ECDHE-ECDSA-AES128-SHA
           - AES256-SHA
           - AES128-SHA
       - version: tlsv1_3
         ciphers:
            - TLS_AES_256_GCM_SHA384
            - TLS_AES_128_GCM_SHA256
   - name: COMPATIBLE-NON-FIPS
     documentation: Modified current TLS configuration to allow non-FIPS TLSv1.3 from Envoy proxy
     fips_enforced: false
     groups:
       - prime256v1
       - secp384r1
       - secp521r1
     tls_protocols:
       - version: tlsv1_2
         ciphers:
           - ECDHE-RSA-AES256-GCM-SHA384
           - ECDHE-RSA-AES128-GCM-SHA256
           - ECDHE-ECDSA-AES256-GCM-SHA384
           - ECDHE-ECDSA-AES128-GCM-SHA256
           - AES256-GCM-SHA384
           - AES128-GCM-SHA256
           - ECDHE-RSA-AES256-SHA
           - ECDHE-RSA-AES128-SHA
           - ECDHE-ECDSA-AES256-SHA
           - ECDHE-ECDSA-AES128-SHA
           - AES256-SHA
           - AES128-SHA
       - version: tlsv1_3
         ciphers:
            - TLS_AES_256_GCM_SHA384
            - TLS_AES_128_GCM_SHA256

3. Run the below command:

python3 /usr/lib/applmgmt/support/scripts/tls_profiles/update_tls_profiles.py -p COMPATIBLE --upgrade

4. Restart the rhttpproxy service

service-control --restart rhttpproxy

5. Test if the problem is resolved.

6. If the problem is resolved, remove the backed-up TLS profiles file:

rm ~/tls_settings.yaml.bak