You have just updated the custom certificates on your ESXi host, ran services.sh restart, and now the host will not exit maintenance mode with a general system error.

vSphere with vSAN using custom certificates.

This is because the vsanmgmtd service has not been restarted and is caching the old certificate.

Reboot the ESXi host, or run the command:

# /etc/init.d/vsanmgmtd restart

Coming to this conclusion the long way around you have validated there is in fact not a problem with the vCenter certificate SAN name(s):

1. PNID of the vCenter server: # /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost

2. Hostname of vCenter server: # hostname -f

3. And SAN (Subject Alternative Name) field of machine ssl cert: # openssl x509 -in machine.cer -noout -text | grep DNS:

Run the following command to see the ESXi localhost thumbprint:

openssl s_client -connect 127.0.0.1:9095< /dev/null 2>/dev/null | openssl x509 -fingerprint -noout

Run the command again using the ESXi hosts hostname:443

openssl s_client -connect esxi01.corp.com:443< /dev/null 2>/dev/null | openssl x509 -fingerprint -noout

You will see a different thumbprint listed.

Then go into the VCDB:

/opt/vmware/vpostgres/current/bin/psql -U postgres VCDB

select id,expected_ssl_thumbprint,host_ssl_thumbprint,dns_name from vpx_host where id = '1001';   

*NOTE: The '1001' in the query is the host-id. Change this to your affected hosts ID. 

You will see the value of the thumbprint matches the host certificate value, but not the localhost value. That is why the task complains about the localhost hostname certificate thumbprint. Reboot or restart of all services using service.sh restart and /etc/init.d/vsanmgmtd restart will resolve the issue.