vCenter patch fails... STS certificates error “TRUSTED_ROOTS, Error”

Incomplete or incorrect certificate chain can cause trust validation errors. For an STS token to be trusted, every certificate in its chain—from the leaf certificate up to the root CA—must be valid.

Correct the misconfiguration error using vCert tool or refresh the certificates to update the STS certs.

To correct the trust/fix issue you're seeing. You will use vCert tool upload it to the vCenter in question to correct this issue. https://knowledge.broadcom.com/external/article/385107#:~:text=get_app-,vCert%2D6.1.0%2D20250910.zip,-get_app 

• In the SSH session to vCenter make sure you're in the root directory as well, then proceed with the instructions below.
• To avoid issues signing in to WINSCP, SFTP/FTP you will need to run the command below after enabling shell:
• Open a SSH session to vCenter & follow the commands below to avoid any failures when uploading vCert to vCenter.
        # chsh -s /bin/bash root
• Once the upload is complete, make the script executable by running the following command in the same directory of the SSH session the script is located:
      # chmod +x vCert
• Depending on how the script was copied, it may be necessary to remove Windows carriage returns from the file:
      # sed -i 's/\r//g' vCert
  
  The script will create a log file in the same directory named vCert.log, and will create a directory in /tmp with the name format vCert-YYYYMMDD, which will include several sub-directories for staging, backups, etc.
  
  Running the Script:
      # ./vCert 
  
  Operations
  The following options are presented at the main menu:
  
  

1. Check current certificates status– to confirm expired certs. CTRL+C to go back to main menu.
2. View Certificate Info
3. Manage Certificates – choose this option to replace the expired certs.
4. Manage SSL Trust Anchors
5. Check configurations
6. Reset all certificates with VMCA-signed certificates
7. ESXi certificate operations
8. Restart services
9. Generate certificate report
10. Exit

• If the output from Option 1 shows Checking SSL Trust Anchors as a Mismatch, proceed to correct the certificate using Option 4 in the instructions below:
  
  Correcting SSL Trust Anchors with vCert
  
  

1. Check current certificates status– to confirm expired certs. CTRL+C to go back to main menu.
2. View Certificate Info
3. Manage Certificates – choose this option to replace the expired certs.
4. Manage SSL Trust Anchors
5. Check configurations
6. Reset all certificates with VMCA-signed certificates
7. ESXi certificate operations
8. Restart services
9. Generate certificate report
10. Exit
    
    

1. Manage SSL Trust Anchors

This option will display the following menu:
--------------------------------------------------------

1. Check SSL Trust Anchors
2. Update SSL Trust Anchors
3. Return to Main Menu

Should the issue persists, refresh the STS certificates using the instructions below:

Download Certificates : Manually download each certificate in the trusted CA chain as a Base64 .crt file. https://knowledge.broadcom.com/external/article?articleNumber=382052#:~:text=Download%20Certificates%20%3A%20Manually,cli%20force%2Drefresh 

• Publish Certificates on VCSA : Use the following commands to publish the certificates:

/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /path/to/file1.crt --chain

/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /path/to/file2.crt --chain

• /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /path/to/file3.crt --chain

• Force Refresh : After publishing the certificates, force a refresh to ensure the system recognizes the new trusted certificates:

/usr/lib/vmware-vmafd/bin/vecs-cli force-refresh