After the machine_ssl certificate of the publisher content library is changed, the subscribed libraries does not sync.

The log of the subscribed library, /var/log/vmware/content_library/cls.log shows the following error:

YYYY-MM-DDThh:mm:ss | ERROR    | #####-#####-#####-h5:#####-##-## | transferService-pool-7-thread | CertificateTrustStrategy       | SSL thumbprint mismatch: Url https://<publisher_vCenter_fqdn>:443/cls/vcsp/lib/#####-#####-#####/#####-#####-#####/<content_library_template_name>, Received ##:##:##:##:##:##:##:##:##:##, expected ##:##:##:##:##:##:##:##:##:##

Attention: Please ensure to take a snapshot or backup of the vCenter Server before making any changes to the vCenter Database. If the vCenter Server is part of an Enhanced Linked Mode (ELM) replication setup, please be aware that offline snapshots (in powered off state) of all vCenter Servers in the ELM domain are required. Please refer to VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice for further information.

To fix this issue:

1. Open an SSH session to the vCenter server that hosts the publishing content library and login with the root user
2. Run the following command to get the thumbprint of the publishing library:

   # openssl s_client -connect localhost:443 -showcerts </dev/null 2>/dev/null | openssl x509 -noout -fingerprint -sha1

3. Open an SSH session to the subscriber vCenter server and run the following command to get the thumbprint stored in the database:

   # /opt/vmware/vpostgres/current/bin/psql -d VCDB -U postgres -c "select name, subscriptionsslthumbprint from cl_library;"

4. Compare both of the thumbprints, if they are different, run the following command to update the correct thumbprint in the subscriber vCenter server:

   # /opt/vmware/vpostgres/current/bin/psql -d VCDB -U postgres -c "update cl_library set subscriptionsslthumbprint = '<correct_publisher-vCenter_thumbprint>' where subscriptionsslthumbprint = '<incorrect_thumbprint>';"