Subscribed Content Library synchronization fails with error INVALID_ELEMENT

Products

VMware vCenter Server

Issue/Introduction

Subscribed Content Library fails to synchronize with error "INVALID_ELEMENT_TYPE" in the vSphere client after recent certificate changes made in the vCenter Sever.
Content library log (path: /var/log/vmware/content-library/cls.log) in the Subscriber library's vCenter shows errorType = INVALID_ELEMENT_TYPE.

[YYYY-MM-DDTHH:MM:SS] | DEBUG    | q-#####:h5ui-getProperties:urn:vapi:com.vmware.content.Library:#######-####-####-####-############:########-####-####-####-d00afd27b464:18559#####:ContentLibrarySpecificCapabilitiesPropertyProviderAdapter:647623-e321-h5:######## | tomcat-http-21            | ApiMethodSkeleton              | Method com.vmware.content.library.subscriptions.get threw an exception
com.vmware.vapi.std.errors.InvalidElementType: InvalidElementType (com.vmware.vapi.std.errors.invalid_element_type) => {
    messages = [LocalizableMessage (com.vmware.vapi.std.localizable_message) => {
    id = com.vmware.vdcs.cls-main.library_subscribed,
    defaultMessage = Library #######-####-####-####-############ is subscribed.,
    args = [#######-####-####-####-############],
    params = <null>,
    localized = <null>
    data = <null>,
    errorType = INVALID_ELEMENT_TYPE

Content library log (cls.log) in the Subscriber library's vCenter shows certificate status as unknown in the remote library (Publisher library).

[YYYY-MM-DDTHH:MM:SS] | ERROR    | lon1bh5h-658376-auto-e409-h5:70153882 | tomcat-http-19            | ThumbprintTrustStrategy        | SSL thumbprint mismatch: Received ##:##:##:##:##:##:##:##:##:##:##:##:##:##:##, expected

[YYYY-MM-DDTHH:MM:SS] | ERROR    | lon1bh5h-658376-auto-e409-h5:70153882 | tomcat-http-19            | VcspClientImpl                 | Remote library certificate error: certificate_unknown(46)

org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(46)

Subscribing to a publisher library or while creating a template in the publisher library, error "InvalidArgument" or "Error loading data" messages in the "New Content Library" window.
vSphere client can show error "Unable to process template" during VM deployment.

Environment

vCenter 9.x
vCenter 8.x
vCenter 7.x

Cause

vCenter publisher library's certificate could not be validated by the Subscriber library to initiate synchronization due to invalid or expired com.vmware.cl extension certificate.

Resolution

Note: Prior to making any changes on the vCenter Server, take a snapshot of the vCenter Virtual Machine. If the vCenter Server is in linked mode, take offline snapshots of all the vCenter Servers in the linked mode, refer: VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice

1. Connect to vCenter Appliance using a SSH client with root account

2. If vCenter Machine_SSL and/or Solution user certificates are expired (review the vCenter certificate status. Refer: Performing a certificate status check using vCert), renew the certificates first. Refer: Regenerate vSphere 6.x, 7.x, and 8.0 certificates using self-signed VMCA.

3. Create a folder to store the solutions user certificate and key

mkdir /certificate

4. To export vpxd-extension cert and key to certificate folder run the commands below

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store vpxd-extension --alias vpxd-extension --output /certificate/vpxd-extension.crt

/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store vpxd-extension --alias vpxd-extension --output /certificate/vpxd-extension.key

5. Run the command below to update com.vmware.cl extension certificate and provide SSO administrator password when prompted:

python /usr/lib/vmware-vpx/scripts/updateExtensionCertInVC.py -e com.vmware.cl -c /certificate/vpxd-extension.crt -k /certificate/vpxd-extension.key -s <vCenter-FQDN> -u Administrator@<vsphere.local>

Note: If the SSO domain has been customized and differs from the default vsphere.local, ensure to update the -u argument with the correct SSO domain name to match the current configuration.

6. Restart the vmware-content-library service:

service-control --restart vmware-content-library

7. Test to confirm subscribed content library can synchronize correctly.

Additional Information

Similar issue can be observed if EAM extension is missing in the vpxd-extension thumbprint. Refer: EAM "Failed to login to vCenter as extension, Cannot complete login due to an incorrect user name or password" after replacing the vCenter Server certificates