Symptoms:
In vCenter Server Appliance (VCSA) 6.5 versions (vsphere65p05 and later), When connecting to Online Repository to download and apply a patch, if VCSA cannot verify repository URL it will display a download error on the VAMI UI.

You can confirm this in /var/log/vmware/applmgmt/software-packages.log. Sample log snippet is as below,

<YYYY-MM-DD>T12:21:41.063 [43512]ERROR:vmware.vherd.base.software_update:Unable to connect to url ftps://<REPOSITORY SERVER IP Address/FQDN>/dj/manifest/manifest-latest.xml. Please use wget-security options in /etc/applmgmt/appliance/update.conf
<YYYY-MM-DD>T12:21:41.063 [43512]DEBUG:vmware.vherd.base.software_update:Failure: 
out=
error=--<YYYY-MM-DD> 12:21:41--  ftps://<REPOSITORY SERVER IP Address/FQDN>/dj/manifest/manifest-latest.xml
           => ‘/storage/core/software-packages/manifest-latest.xml’
Connecting to <REPOSITORY SERVER IP Address/FQDN>:21... connected.
==> AUTH TLS ... ERROR: cannot verify <REPOSITORY SERVER IP Address/FQDN>'s certificate, issued by ‘emailAddress=<EmailAddress>,CN=<REPOSITORY SERVER IP Address/FQDN>,OU=<Org Unit>,O=<Company>,L=<City>,ST=<State>,C=<Country code>’:
  Self-signed certificate encountered.
To connect to <REPOSITORY SERVER IP Address/FQDN> insecurely, use '--no-check-certificate'.

rc=-6

<YYYY-MM-DD>T12:21:41.063 [43512]ERROR:vmware.vherd.base.software_update:Download failed, please check the URL and the network connection.

VMware vSphere ESXi 6.5

The error message indicates that VCSA is unable to verify the CA certificate from the Repository server. This behaviour change is based on the security recommendation to stop using "--no-check-certificate" option.

To resolve this issue, you can add the certificate from the repository to vCenter as trusted. The cert will be located at the URL displayed in the log, and that URL will vary depending on the specific repository location. Check this message per the above:

Connecting to <REPOSITORY SERVER IP Address/FQDN>:21... connected.

Go to this URL in your web browser and export the certificate in base64 format. Save as a .cer file with a name of your choosing such as repository.cer.

Then, choose one of the following options to import:

Resolution 1 - Add the trusted root certificate to the certificate repository 

For the steps to add a trusted root certificate to the Trusted Roots store, see the Add a Trusted Root Certificate to the Certificate Store in the vSphere 6.5 Product Documentation.

Resolution 2 - Upload a repository server certificate

Upload a repository server certificate to /etc/applmgmt/appliance/patching_def.crt using these steps:

1. Connect to your vCenter Server Appliance (VCSA) using SSH
2. Create the file /etc/applmgmt/appliance/patching_def.crt using the command vi /etc/applmgmt/appliance/patching_def.crt
3. Copy the repository server certificate to this file
4. Save the file
5. Retry the updates