Symptoms:
Service deployment on ESX 8.0U2 fails with status:

Error creating agency for deployment unit <id>. Error while creating agency: null. Delete this deployment and create another one.

Also refer https://kb.vmware.com/s/article/93130.

Impacted version - NSX 4.1.1

VMware NSX 4.1.1

The deployment framework for Endpoint Protection or Malware Prevention Service relies on the vSphere EAM framework to download OVF files from specified URLs. Starting with ESX 8.0U2, the EAM framework's default behavior has been modified to only transfer data from depots that are deemed trustworthy. As a result, HTTPS URLs associated with depots that have non-trusted SSL certificates are not considered trustworthy by EAM. Consequently, EAM refuses to download the OVF, leading to deployment failure with the specified error.

1. Replace the HTTPS SSL certificate with a valid one that is signed by any of Photon OS CAs or VECS TRUSTED_ROOTS CAs.
For endpoint protection, please refer to partner documentation regarding how to replace HTTPS SSL certificate.

2. Add the root CA certificate signing the file server certificate to VMware Endpoint Certificate Store (VECS) TRUSTED_ROOTS. Please refer to Add a Trusted Root Certificate to the Certificate Store and vecs-cli Command Reference for more information.

Workaround:

Note - Following workaround involves security risk.

1. Configure a leaf SSL certificate that is to be trusted for the OVF URL.
The Endpoint protection or Malware prevention service OVF URL can be obtained from service definition on NSX UI/API.
Login to VCSA through SSH using root. Run the below command:
 /usr/lib/vmware-eam/bin/eam-utility.py install-cert <OVF URL>
 Note
a. The operation above can be reverted by running: eam-utility.py uninstall-cert <VIB/OVF URL>
/usr/lib/vmware-eam/bin/eam-utility.py uninstall-cert <OVF URL>
b. The SSL trust configuration provided with the script does not persist across vCenter major upgrades.