If the custom CA root certificate is not published to the SDDC Manager truststores, then the subsequent errors might be evident:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
In SOS logs:
2020-03-26T11:04:28.661Z [ERROR restutil.py::get::128::_collect_https_esx_logsThread0] GET call failed for https://esxi-1.vrack.vsphere.local/cgi-bin/vm-support.cgi due to HTTPSConnectionPool(host='esxi-1.vrack.vsphere.local', port=443): Max retries exceeded with url: /cgi-bin/vm-support.cgi (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])")))
Note: This log excerpt is an example. Date, time, and environmental variables may vary depending on your environment.
When prompted, enter the password.
Notes:
Type yes when prompted to trust the certificate.
Enter alias name, for the <aliasname> value.
Replace <certificate file> with the full path to the certificate file that was uploaded in Step 1.
Replace <trust store key> with the key value returned in Step 3.
Issue a command similar to the following to import the certificate into the java trust store:
Notes:
Type yes when prompted to trust the certificate.
Replace <certificate file> with the full path to the certificate file that was uploaded in Step 1
Issue a command similar to the following to verify that the new trusted certificate has been added to the SDDC Manager trust store:
keytool -list -v -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store -storepass <trust store key>
This issue is being checked by Diagnostics for VMware Cloud Foundation.
The check is as follows: