The vcha.log contains below error in the following location "/var/log/vmware/vcha" when SSH'ed to vCenter server.
YYYY-MM-DDThh:mm:ss error vcha[37400] [Originator@6876 sub=IO.Http opID=SWI-427c3c55] User agent failed to send request; (null), N7Vmacore3Ssl18SSLVerifyExceptionE(SSL Exception:
Verification parameters:
--> PeerThumbprint: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:
--> ExpectedThumbprint:
--> ExpectedPeerName: <vCenter FQDN>
--> The remote host certificate has these problems:
-->
--> * unable to get issuer certificate)
The passive node vCenter server vcha logs contains events similar to the one below
YYYY-MM-DDThh:mm:ss info vcha[41137] [Originator@6876 sub=Cluster opID=SWI-41a7] hostId=xx.xx.xx.xx state=Slave master=xx.xx.xx.xx isolated=false host-list-version=1 config-version=0 vm-metadata-version=0 slv-mst-tdiff-sec=0
YYYY-MM-DDThh:mm:ss error vcha[41143] [Originator@6876 sub=VchaUtil] Error executing command /opt/vmware/vpostgres/current/bin/psql: exit status=[2], stdout=[], stderr=[psql.bin: SSL error: certificate verify failed
vCenter Server 6.x
vCenter Server 7.x
vCenter Server 8.x
When vCenter HA is recreated after changes like Machine SSL certificate is replaced with custom certificate. The certificate chain might have missed or any intermediate certificate might have expired or replaced in the customer environment. This results in the certificate not being able to be verified successfully resulting vCenter HA configuration failing.
The solution to fix the issue is to ensure certificate chain is complete and verifiable.
Note: Ensure to take a offline snapshot of vCenter(s) before making changes to the vCenter server.
echo "" | openssl s_client -connect <vCenter FQDN>:443 | openssl x509 -text -noout -fingerprint
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text | less
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert list
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert get --id <CN_id> --login [email protected] --password <PASSWORD> --outcert /tmp/CA_certificate.crt
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /tmp/CA_certificate.crt
More troubleshooting steps on vCenter HA can be found here