When using an HTTPS proxy server, after integrating the VCF authenticated token, you see that Lifecycle Manager is unable to sync updates. 

 Symptoms:

• "Sync Updates" jobs fail in Lifecycle Manager. 
• On the vCenter, in /var/log/vmware/vmware-updatemgr/vum-server/vmware-vum-server.log you see SSL verification failures against dl.broadcom.com.
• When SSH'd into vCenter, you run the command curl -k -vvv https://dl.broadcom.com and you are returned with the error "SSL certificate verify result: unable to get local issuer certificate."

VMware vCenter 7.x 

VMware vCenter 8.x 

The certificate chain for the Proxy server is either not in or incomplete within the vCenter's Trusted Root store. 

METHOD 1: Create a rule on your proxy server to bypass inspection for traffic To/From dl.broadcom.com to your vCenter.

METHOD 2: Upload the full certificate chain for the proxy to your vCenter Server's Trusted Root store:

1. Upload Root and Intermediate proxy certs to to /tmp on the vCenter.
   
   
2. Run these commands to add the Root and Intermediate certs (if applicable) for the proxy to the VC, changing out the highlighted variable values with the file names of the certs:
   
   
   • /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --chain --cert /tmp/<ROOT_CERT> --login [email protected] --password <SSO_Admin_Password>
   • /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --chain --cert /tmp/<INTERMEDIATE_CERT> --login [email protected] --password <SSO_Admin_Password>


3. Run this command to refresh the VECS store so the vCenter recognizes the new certs:
   • /usr/lib/vmware-vmafd/bin/vecs-cli force-refresh


4. Run a Lifecycle Manager re-sync from the vSphere GUI:
   1. Navigate to Lifecycle Manager Interface 
   2. Click Actions
   3. Click Sync Updates

NOTE: To check if the vCenter is downloading, run the command below from the vCenter. You should see entries relating to package downloads originating from dl.broadcom.com:

• tail -f /var/log/vmware/vmware-updatemgr/vum-server/imageservice.log