• Attempting to add host to domain using Authentication Proxy may fail with error "Could not verify the certificate of the specified vSphere Authentication Proxy server."

• /var/log/hostd.log:

YYYY-MM-DDTHH:MM:SS info hostd[465135] [Originator@6876 sub=Vimsvc.TaskManager opID=m8rb6nzr-63391-auto-1cww-h5:70018928-7-39-95b1 user=vpxuser:<Domain Name>\Administrator] Task Created : haTask-ha-host-vim.host.ActiveDirectoryAuthentication.joinDomainWithCAM-219544
YYYY-MM-DDTHH:MM:SS error hostd[465135] [Originator@6876 sub=Default opID=m8rb6nzr-63391-auto-1cww-h5:70018928-7-39-95b1 user=vpxuser:<Domain Name>\Administrator] CamHttpQueryDomainInfo: 1323
YYYY-MM-DDTHH:MM:SS error hostd[465135] [Originator@6876 sub=ActiveDirectoryAuthentication opID=m8rb6nzr-63391-auto-1cww-h5:70018928-7-39-95b1 user=vpxuser:<Domain Name>\Administrator] vmwauth InvalidCAMCertificateException: N6vmware14authentication30InvalidCAMCertificateExceptionE(The CAM server's certificate cannot be verified.)
YYYY-MM-DDTHH:MM:SS info hostd[465135] [Originator@6876 sub=Vimsvc.ha-eventmgr opID=m8rb6nzr-63391-auto-1cww-h5:70018928-7-39-95b1 user=vpxuser:<Domain Name>\Administrator] Event 681 : Join domain failed.
YYYY-MM-DDTHH:MM:SS info hostd[465135] [Originator@6876 sub=Vimsvc.TaskManager opID=m8rb6nzr-63391-auto-1cww-h5:70018928-7-39-95b1 user=vpxuser:<Domain Name>\Administrator] Task Completed : haTask-ha-host-vim.host.ActiveDirectoryAuthentication.joinDomainWithCAM-219544 Status error
YYYY-MM-DDTHH:MM:SS info hostd[133904] [Originator@6876 sub=Vimsvc.TaskManager opID=HB-SpecSync-host-64@0-7a475bc5-2a-SWI-409434ca-95b7 user=vpxuser] Task Created : haTask-ha-host-vim.host.StorageSystem.refresh-219546

• /var/log/vmware/vpxd/vpxd.log:

YYYY-MM-DDTHH:MM:SS info vpxd[1054795] [Originator@6876 sub=vpxLro opID=m8rb6nzr-63325-auto-1cv2-h5:70018908-1d] [VpxLRO] -- BEGIN task-3135 -- activeDirectoryAuthentication-64 -- vim.host.ActiveDirectoryAuthentication.joinDomainWithCAM -- 529a9229-49fb-8005-d7c3-1d93d5335529(52f0c464-897a-b6ab-9b09-09404a4cce56)
YYYY-MM-DDTHH:MM:SS info vpxd[1054795] [Originator@6876 sub=vpxLro opID=m8rb6nzr-63325-auto-1cv2-h5:70018908-1d] [VpxLRO] -- FINISH task-3135
YYYY-MM-DDTHH:MM:SS error vpxd[1054795] [Originator@6876 sub=Default opID=m8rb6nzr-63325-auto-1cv2-h5:70018908-1d] [VpxLRO] -- ERROR task-3135 -- 529a9229-49fb-8005-d7c3-1d93d5335529(52f0c464-897a-b6ab-9b09-09404a4cce56) -- activeDirectoryAuthentication-64 -- vim.host.ActiveDirectoryAuthentication.joinDomainWithCAM: :vim.fault.InvalidCAMCertificate
--> Result:
--> (vim.fault.InvalidCAMCertificate) {
-->    faultCause = (vmodl.MethodFault) null,
-->    faultMessage = <unset>,
-->    errorCode = 0,
-->    camServer = "<vCenter Server IP>"
-->    msg = "Could not verify the certificate of the specified vSphere Authentication Proxy server."
--> }
--> Args:
-->
--> Arg domainName:
--> "<Active Directory Domain>"
--> Arg camServer:
--> "<vCenter Server IP>"

This issue is caused due to mismatch of entry under vmcamcert.pem on vCenter Server post manual replacement of vmcam certificate

• Log in to vCenter Server Appliance (VCSA) using ssh
• Navigate to the VMware vSphere Authentication Proxy (vmcam) service ssl directory

cd /var/lib/vmware/vmcam/ssl

• Take a backup of the existing vmcamcert.pem

cp vmcamcert.pem vmcamcert.pem_old

• Empty the existing pem file

> vmcamcert.pem

• Update the file with the regenerated certificate

(cat rui.key;echo "";cat rui.crt) > vmcamcert.pem

• Restart the vmcam service

service-control --restart vmcam

Note: The above steps are applicable if the vmcam certificates are replaced manually as per the steps under Generate a New Certificate for vSphere Authentication Proxy