Customer's are Trying to login to their guest clusters from a jump box.

vSphere Supervisor 8.0 Update 3

After renewing vCenter machine certificates , the guest-cluster-auth pods  are not being updated and retain the old certificates' thumbprint 

The monitor service which looks for jwks changes for updated keys  does not notify wcpsvc to sync the change to the Supervisor. The update is dependent on any other infra change for Supervisor to go into configure state. So the sync can be delayed for indefinite amount of time.

Engineering are aware and a fix is  scheduled be updated in a future release

Until the the permanent fix is released, the workaround is to restart the wcp service on vcenter, This will force the Supervisor to go into configure state, and the sync to occur for the guest-cluster-auth-service pod

1. Log into the vcenter Server appliance as root

2. Restart the WCP service:

vmon-cli -r wcp

3. If the customers guest cluster is below  v1.31.1 then also follow the steps in KB 370252 to update  the guest-cluster-auth-service pod

4. Check that you can now log in to the guest cluster

also see Related KB : Cannot login to vSphere with Tanzu TKC guest cluster after renewing vCenter machine certificates with error "the server has asked for the client to provide credentials"

If the customers guest cluster is  v1.31.1 or higher, they should no longer need to restart the guest-cluster-auth-service pod as it  is dynamically watching for changes to the configmap and will reload the public keys.