The certificates has to be trusted again after they are changed due to security implications. The initial certificates are validated via TOFU when the vCenter is registered with the gateway. Now, if the certificates are updated, services do not receive the untrusted certificates and all activities start failing.

When the vCenter certificates are updated after it has been registered with the gateway appliance, the services do not pick up the latest certificates as they are not yet trusted leading to failure in post-registration activities.

Engineering is working on this issue.  Please follow the workaround for now.

The work around is to trust the updated certificates again. In order to do this, the following steps need to be performed:

1. Download the script update_vc_certificate.py attached with this article.
2. SCP/Upload the downloaded script to the Gateway appliance.
3. SSH into the Gateway appliance.
4. Run the following command on the ssh console: 
   • python update_vc_certificate.py --vcIpOrHostname  <VC_IP_OR_HOSTNAME_WHATEVER_WAS_PROVIDED_DURING_VCENTER_REGISTRATION>
5. The above command will output the thumbprint of the current certificates available on the vCenter like

root@localhost [ ~ ]# python update_vc_certificate.py --vcIpOrHostname 10.184.104.188
Latest thumbprint for 10.184.104.188: {"thumbprint": "D9:E9:A5:CE:61:DA:A4:B5:0F:56:9C:4F:66:0F:44:CD:A1:37:AE:0F:86:09:FC:CB:E2:C5:BD:9B:A2:27:AE:E7", "digestAlgorithm": "SHA-256"}
After you have verified the thumbprint, run the following command:
python update_vc_certificate.py --vcIpOrHostname <VC_IP_OR_HOSTNAME_WHATEVER_WAS_PROVIDED_DURING_VCENTER_REGISTRATION> --thumbprint '<THUMBPRINT_RECEIVED_FROM_STEP_4>'
example:
root@localhost [ ~ ]# python update_vc_certificate.py --vcIpOrHostname 10.184.104.188 --thumbprint '{"thumbprint": "D9:E9:A5:CE:61:DA:A4:B5:0F:56:9C:4F:66:0F:44:CD:A1:37:AE:0F:86:09:FC:CB:E2:C5:BD:9B:A2:27:AE:E7", "digestAlgorithm": "SHA-256"}'
PLEASE NOTE: You need the thumbprint value between single quotes as shown above.