While upgrading a TKGI environment and using Tanzu Operations Manager version v3.0.29+LTS-T you see the following occur:

During Apply Changes, the Operations Manager reports the following error during upgrade:

Error: Unknown CPI error 'Unknown' with message 'Problem with the local SSL certificate' in 'set_vm_metadata' CPI method 

Bosh CPI task logs show the following:

CPI error “The URL https://<VCENTER_URL>/sdk/vimService does not have a valid SSL certificate”

Which causes the Apply Changes to fail.

Tanzu Operations Manager v3.0.29+LTS-T

TKGI (upgrading to a version which supports v3.0.29+LTS-T or later)

NSX-T configured with Certificate Authentication on vSphere

There is a known issue with Operations Manager v3.0.29+LTS-T

[Known Issue] Configuring NSX-T with Certificate Authentication on vSphere results in CPI error “The URL https://<VCENTER_URL>/sdk/vimService does not have a valid SSL certificate” causing Apply Changes to fail.

The issue is Fixed in Operations Manager v3.0.30+LTS-T

[Known Issue Fix] NSX-T Certificate Authentication no longer fails during Apply Changes due to the private key being mutated

High Level Resolution:

Upgrade existing Operations Manager from v3.0.29+LTS-T to v3.0.30+LTS-T.  Using typical Upgrading your Tanzu Operations Manager deployment process 

Then Apply Changes to all tiles affected.

Procedure:

- Download the v3.0.30+LTS-T OVA and any necessary stem cells in preparation for upgrade

- Export current Operations Manager configuration from the current v3.0.29+LTS-T and TKGI 1.xx.x environment

- Upgrade Operations Manager from 3.0.30+LTS-T OVA to v3.0.30+LTS-T

- Apply Changes again to all affected tiles