• Workload domain is configured with a stretch cluster and Witness host.
  
  
• A number of prechecks are reported as  "vSphere SHA-1 validation" and "Verify Standalone Host topology".
  
  
• The pre-check validation error or warning can be found in file /var/log/vmware/vcf/operationsmanager/assessment/pythonvalidations/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/artifacts/vsphere-sha1-validation-execution-error-xxx-xx-xx-xx-xxxxx.txt that is displayed on the GUI with the error below:
  
  Failed to connect to host <Witness_FQDN>.The host's TLS certificate cannot be validated

VMware SDDC Manager 5.x

SDDC Manager cannot reach vSAN witness nodes due to ports 443/22 being unreachable.

SDDC Manager prechecks require access to hosts via ports 443 and 22 to verify certificates and status. Ensure the firewall allows traffic on these ports from the SDDC Manager to the vSAN witness nodes.

Test the connectivity using below command

curl -v telnet://<Witness_FQDN>:443