This article provides a solution to address the certificate validation error when HCX VM is installed in the vCenter.

• vSphere SHA-1 Validation is failing with the following error:
  
  
• Executing the script provided in article Upgrading vCenter Server or ESXi 8.0 fails during precheck due to a weak certificate signature algorithm does not report any certificate with weak algorithm in the vCenter VECS store
  
  
• The environment is using HCX VM. HCX mobilityagent logs contains errors similar to the excerpt below:
  
  

  info mobilityagent[02425] [Originator@6876 sub=Solo.Vmomi opID=########-#### user=:<username>] Activation <<########-####-####-####-############, <TCP '127.0.0.1 : 8307'>, <TCP '127.0.0.1 : 36042'>>, ha-certificate-manager, vim.host.CertificateManager.listCACertificates, <vim.version.v8_0_2_0, internal, 8.0.2.0>, [N11HostdCommon18VmomiAdapterServer19ActivationResponderE:0x00007f6b5c009188]> : Invoke done [listCACertificates] on [vim.host.CertificateManager:ha-certificate-manager]
  info mobilityagent[02425] [Originator@6876 sub=Solo.Vmomi opID=########-#### user=:<username>] Throw vmodl.fault.SecurityError
  info mobilityagent[02425] [Originator@6876 sub=Solo.Vmomi opID=########-#### user=:<username>] Result:
  --> (vmodl.fault.SecurityError) {
  -->    faultCause = (vmodl.MethodFault) null, 
  -->    faultMessage = <unset>
  -->    msg = ""
  --> }

• VMware Cloud foundation 5.1
• VMware HCX 4.9.0 or earlier. 

HCX deploys an ESX Virtual Machine which is not the usual ESX. It doesn't support some of the APIs like ListCACertificates() which the script calls to run checks.

So when the script runs against HCX ESX Virtual Machine, it fails to retrieve the certificates and throws error "Caught exception while validating host ###-HCX-ESX-IP: Access to perform the operation was denied."

This issue is resolved in VMware HCX 4.9.1, available at Broadcom downloads.

If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB.