After a reboot of the ESXi host (encryption enabled), vCenter creates alarm "Host Requires Encryption Mode Enabled Alarm" for the host. 

VMware vSphere ESXi 8.x

Under rare situations the CA certs could not be updated to the host when it is in maintenance mode which caused the encryption settings to be failed after the reboot.

The host will be in maintenance mode when the below event occurs in vpxd.

 Host logs can be validated for the host maintenance mode timelines.

/var/run/log/vobd.log

YYYY-MM-DD hh:mm:ss.zzzZ In(14) vobd[######]:[GenericCorrelator] 1211313123035us: [vob.user.maintenancemode.entered] The host has entered maintenance mode
YYYY-MM-DD hh:mm:ss.zzzZ In(14) vobd[######]:[UserLevelCorrelator] 223455551us: [vob.user.maintenancemode.exited] The host has exited maintenance mode

vCenter:  /var/log/vmware/vpxd/vpxd.log

YYYY-MM-DD hh:mm:ss.zzzZ info vpxd[######] [Originator@6876 sub=certmgrLogger opID=HeartbeatStartHandler-aaaabbbb-1234ffae-WorkQueue-aabbccdd] Will update root certificates on host; [vim.HostSystem:host-xxxx,<host_fqdn>], on vc: (string) [

SetHostKey failed on [vim.HostSystem:host-xxxx,<host_fqdn>]: N5Vmomi12RuntimeFault9ExceptionE(Fault cause: vmodl.RuntimeFault
--> )
--> [context]...........................................==[/context]

YYYY-MM-DD hh:mm:ss.zzzZ error vpxd[219211] [Originator@6876 sub=certmgrLogger opID=HeartbeatStartHandler-aaaabbbb-1234ffae-WorkQueue-aabbccdd] Failed to push CA certificates and CRLs to host; [vim.HostSystem:host-xxxx,<host_fqdn>], ca: (string) [

--> "
--> ], crls: (null), N3Vim5Fault12InvalidState9ExceptionE(Fault cause: vim.fault.InvalidState   <<< The host is reported as invalid state
--> )

This issue is fixed in VCSA 8U3 or later builds of the vCenter.

As a workaround, disable and re-enable the encryption on the ESXi