The SSL certificate on the SDDC Manager can be updated/rotated on a regular basis. When the SDDC Manager certificate is updated, communication between VC Discovery Agent & SDDC Manager will break.

VC Discovery Agent won't be able to make SSL calls to the SDDC Manager and subsequent polling to SDDC Manager inventory will be throwing PKIX/SSL Handshake error.

Currently, the VC Discovery Agent doesn't have a mechanism to detect the SDDC Manager certificate changes automatically, hence, whenever the SDDC Manager certificate is rotated/updated, communication between VC Discovery Agent & SDDC Manager will be broken (since VC Discovery Agent won't be aware of new SDDC Manager certificate/thumbprint).

Currently there is no resolution to the issue. This will be fixed in future releases.

To workaround the issue, please follow the below mentioned steps:

1. SSH to vCenter Cloud Gateway:

ssh root ${GATEWAY_IP}

2. Get the session_id for vcf-common-agent using the below command:

docker ps --filter "name=vcf-common-agent"
docker inspect <vcf-common-agent_container_id> | grep "AGENT_SESSION"

3. Get the vCenter Cloud Gateway base URL:

docker inspect <vcf-common-agent_container_id> | grep GW_BASE_URL

4. Get the SDDC Manager thumbprint details:

curl  -u tester:<session_id> -X GET "http://GW_BASE_URL/agents/vc-discovery-agent/api/v1/vcenter/certificate-thumbprint?hostnameOrIp=<SDDC_MANAGER_IP_OR_FQDN>&port=443" -H "accept: application/json"

Sample Output:
{"thumbprint":"80:0A:85:58:C4:EE:F8:E4:BA:30:AF:05:8B:16:87:72:2F:CB:83:3D:93:52:B6:E0:1D:37:04:B5:F6:D3:77:39","digestAlgorithm":"SHA-256"}

5. Update the VCDA using the below API(use payload from step 4):

curl  -u tester:<session_id> -X POST "http://GW_BASE_URL/agents/vc-discovery-agent/api/v1/vcf/refresh" -H "accept: application/json" -H "Content-Type: application/json" -d '{ "thumbprint": "80:0A:85:58:C4:EE:F8:E4:BA:30:AF:05:8B:16:87:72:2F:CB:83:3D:93:52:B6:E0:1D:37:04:B5:F6:D3:77:39", "digestAlgorithm": "SHA-256" }'