Unable to patch ESXi host from the SDDC Manager

Remediation Message: Ensure the ESXi host has a valid, resolveable fully-qualified domain name and a certificate with matching Common Name.

Error: The ESXi update postcheck failed with an unknown error.

Remediation Message: null Manual intervention needed as upgrade failed during install stage. Check for errors in the lcm log files located on SDDC Manager under /var/log/vmware/vcf/lcm. Please retry the upgrade once the upgrade is available again.

ESXi Host Configuration Status
The ESXi host configuration status under management shows "ERROR" instead of "Active."

Issue Identified:
The ESXi host was in a "password failed" state.
Password remediation failed due to a certificate trust issue.

Root Cause:
SDDC certificate was changed to a CA-signed certificate, but the ESXi hosts were still using VMCA-signed certificates. This mismatch caused trust issues between the SDDC and the ESXi hosts.

ESXi hosts were still using VMCA certificates, which were not added to the SDDC trust stores.

The issue will be resolved once the CA certificate is added to the ESXi hosts.

This allows the SDDC to trust the ESXi hosts, as the signing certificate of the CA will be present in the trust stores of the SDDC, establishing proper trust and resolving the connectivity issues.

The next step is to change the Host status to Active.

Login to the postgres DB.

• Login to the SDDC (SSH)
• psql -h localhost -U postgres
• \c platform
• select id, hostname, status from host;
• update host set status='ACTIVE' where id = 'xxxxxxx-xxxxxxx-xxxxxxx-xxxx';
• \q

Proceed with the ESXi upgrade from the SDDC manager