• The vCenter Server is unable to fetch certificates from dl.broadcom.com when attempting to check for updates via VAMI or Lifecycle Manager (LCM).

• Toggling the proxy settings (enabling/disabling) has no impact on the issue.

• Network connectivity from vCenter to dl.broadcom.com over port 443 is verified and working using Telnet and Netcat.

• Using openssl s_client -connect dl.broadcom.com:443 -showcerts on the vCenter confirms that the certificate can be successfully retrieved from the endpoint.

• The applmgmt.log contains the following errors:

YYYY-MM-DDTmm:ss:ms PM UTC [3454]DEBUG:vmware.appliance.update.update_functions:runCommandAndCheckResult failed: "--YYYY-MM-DDTmm:ss:ms--  https://dl.broadcom.com/################################/PROD/COMP/VCENTER/vmw/8d167796-34d5-4899-be0a-6daade4005a3/7.0.3.02200/manifest/manifest-latest.xml\nResolving dl.broadcom.com... IP, IP\nConnecting to dl.broadcom.com|IP|:443... connected.\nERROR: cannot verify dl.broadcom.com's certificate, issued by ‘CN= ’:\n  Self-signed certificate encountered.\nTo connect to dl.broadcom.com insecurely, use `--no-check-certificate'.\n"
YYYY-MM-DDTmm:ss:ms PM UTC [3454]ERROR:vmware.appliance.update.update_b2b:
Got exception while trying discover at URL https://dl.broadcom.com/################################/PROD/COMP/VCENTER/vmw/8d167796-34d5-4899-be0a-6daade4005a3/7.0.3.02200: NotFound(messages=[{'id': 'com.vmware.appliance.update.invalid_url', 'default_message': 'Check the URL and try again.', 'args': ['']}], data=None, error_type='NOT_FOUND') 'Traceback (most recent call last):\n  File "/usr/lib/applmgmt/update/py/vmware/appliance/update/update_b2b.py
", line 1499, in _discoverUpdateAt\n    tempFolder)\n  File "/usr/lib/applmgmt/update/py/vmware/appliance/update/update_functions.py", line 582, in wgetWrapper\n    "Certificate error at target URL"))})\n  File "/usr/lib/applmgmt/update/py/vmware/appliance/update/update_functions.py", line 374, in runCommandAndCheckResult\n    raise exception\nvmware.appliance.update.update_functions.LocalizableException: {\'id\': \'com.vmware.appliance.update.downl
oad_failed\', \'default_message\': \'Download failed\', \'args\': []}\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n  File "/usr/lib/applmgmt/update/py/vmware/appliance/update/update_b2b.py", line 1764, in processURLUpdates\n    header = _discoverUpdateAtUrl(url,\'latest\')\n  File "/usr/lib/applmgmt/update/py/vmware/appliance/update/update_b2b.py", line 1689, in _discoverUpdateAtUrl\n
   versionFolder)\n  File "/usr/lib/applmgmt/update/py/vmware/appliance/update/update_b2b.py", line 1505, in _discoverUpdateAt\n    vapiNotFound(messageInvalidUrl(\'\'))\n  File "/usr/lib/applmgmt/update/py/vmware/appliance/update/update_functions.py", line 167, in vapiNotFound\n    raise ErrorFactory.new_not_found(messages=messages)\ncom.vmware.vapi.std.errors_provider.NotFound: {messages : [{\'id\': \'com.vmware.appliance.update.invalid_url\', \'d
efault_message\': \'Check the URL and try again.\', \'args\': [\'\']}], data : None, error_type : NOT_FOUND}\n'

• VMware vCenter Server 8.0.x
• VMware vCenter Server 7.0.x

• The problem is with the way the Network firewall handles the certificate request, a decryption problem

In SSL/TLS, a “certificate request” typically refers to the client receiving the server’s certificate during the TLS handshake, or to the server requesting a client certificate in mutual TLS (less common).

When the Firewall performs SSL/TLS inspection (aka TLS interception / MITM):

1. Intercepted Request Flow:

   • Client connects to https://example.com

   • Firewall intercepts this request

   • Firewall creates a new TLS connection to the destination server

   • It fetches the real server certificate

2. Decryption and Re-encryption:

   • Firewall decrypts the server’s response

   • Then it re-encrypts it with a custom certificate (often signed by a corporate CA trusted inside the organization)

   • Client sees this new certificate (not the real server’s)

3. Why Decryption Might Fail:

   • The client uses TLS with encrypted handshake extensions — making it harder for the FW to inspect

   • Certificate pinning in client blocks non-original certificates

   • Firewall has misconfigured SSL inspection rules

   • Firewall can't validate the original server’s cert chain correctly

   • The traffic is not decrypted successfully, and the client (IMHO) fails to continue

• This issue is not related to vSphere or vCenter. It appears to be caused by the firewall and should be investigated by your network or firewall team.

Workaround:

• For VAMI: You can temporarily bypass certificate validation by unchecking the "Check certificate" option.

  • 

• For LCM: Unfortunately, no workaround is available at this time.

Alternative Solution (for Isolation/Testing Only):

Note: This approach is intended for isolation and validation purposes only. It is not a recommended permanent solution. The recommended action is to coordinate with your firewall team to resolve the root cause.

Remove certificates from trusted root store manually : https://knowledge.broadcom.com/external/article/326288/removing-ca-certificates-from-the-truste.html