Running the vSphere Diagnostic Tool Reports "Cert File rui.crt Does NOT Match MACHINE_SSL_CERT"

Multiple symptoms may be arise due to this condition, including similar errors to the following KB:

Adding Compute Manager in NSX fails with "IllegalStateException: connection not yet open"

vCenter Server Appliance 7.x

vCenter Server Appliance 8.x

This condition occurs after fixing a failed custom certificate implementation on vCenter Server Appliance.  The rui.crt file is updated when vpxd starts and detects that the MACHINE_SSL_CERT thumbprint has changed. 

When checking thumbprint of a certificate, only the top level certificate (leaf certificate) is evaluated.  If the root chain was the only portion of the certificate changed, the rui.crt will not be updated appropriately.

To resolve this issue, copy the MACHINE_SSL_CERT to the rui.crt, then restart vCenter Server services.

Run the following commands:

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT > /etc/vmware-vpx/ssl/rui.crt

service-control --stop --all && service-control --start --all