• You have run VDT per KB344917 to check the health of your vCenter prior to an upgrade.
• The output of VDT finds "A single certificate has a trust mismatch."
• In the VDT output and logs you see a similar message:

SSO Checks
A single certificate has a trust mismatch.  This requires an execution of lsdoctor.py with the –trustfix flag on this vCenter server node.
                • [FAIL]    <vcenter-server-FQDN> (VC Server or CGW)
                    [FAIL]    SSL Trust Mismatch
                                Please run python lsdoctor.py --trustfix option on this node (or a vCenter in this SSO site).
                                Services grouped by SSL Trust: ##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:
                                - sso:groupcheck
                                - sso:admin
                                - sso:sts

VMware vCenter Server

Per KB320837, the lookup service registrations may have an SSL trust value that doesn’t match the MACHINE_SSL_CERT on port 443 of the node.  This can be caused by a failure during certificate replacement, among other failures.

Per KB320837:

Instructions:

1. Copy and extract lsdoctor to the filesystem of any node in the same SSO site as the affected node(s)
2. Run “python lsdoctor.py -t”
3. Verify that you have taken the appropriate snapshots
4. Provide the password for your SSO administrator account

Follow up actions needed:

• Once the script completes, restart all services on all nodes in the SSO site
• Re-register any external solutions that were previously pointed to the affected node(s) (SRM, vSphere Replication, NSX-V, etc.)