• New Content Library configuration fails with Error as follows:
  
  
  
  
• Also, sync library task fails with the below error:
  
  "A general system error occurred: HTTP request error: cannot authenticate SSL certificate for host content library".
  
  
• Under vCenter's /var/log/vmware/content-library/cls.log, below error log snips are found:
  
  YYYY-MM-DDTHH:MM:SS | DEBUG    | <cluster name>-auto-jy03-h5:######## | tomcat-http-14            | Apache4xRestrictedCipherSSLConnectionSocketFactory | Starting handshake
YYYY-MM-DDTHH:MM:SS | DEBUG    | <cluster name>-auto-jy03-h5:######## | tomcat-http-14            | CertificateTrustStrategy       | CertificateTrustStrategy isTrusted: sslThumbprint null, sslCertificate null sourceUrl https://<ESXi-fqdn>/cls/vcsp/lib/########-####-####-####-##########/lib.json
YYYY-MM-DDTHH:MM:SS | ERROR    | <cluster name>-auto-jy03-h5:######## | tomcat-http-14            | VcspClientImpl                 | Remote library certificate error: certificate_unknown(46)

YYYY-MM-DDTHH:MM:SS | DEBUG | tomcat-http-49 | Apache4xRestrictedCipherSSLConnectionSocketFactory | Starting handshake
YYYY-MM-DDTHH:MM:SS | ERROR | tomcat-http-49 | ThumbprintTrustStrategy  | SSL thumbprint mismatch: Received AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA, expected 
BB:BB:BB:BB:BB:BB:BB:BB:BB:BB:BB:BB:BB:BB:BB:BB:BB:BB:BB:BB
YYYY-MM-DDTHH:MM:SS | ERROR | tomcat-http-49 | VcspClientImpl  | Remote library certificate error: certificate_unknown(46) org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(46)
at org.bouncycastle.jsse.provider.ProvSSLSocketWrap.checkServerTrusted(Unknown Source) ~[bctls-fips-1.0.10.jar:1.0.10]
at org.bouncycastle.jsse.provider.ProvTlsClient$1.notifyServerCertificate(Unknown Source) ~[bctls-fips-1.0.10.jar:1.0.10]
at org.bouncycastle.tls.TlsUtils.processServerCertificate(Unknown Source) ~[bctls-fips-1.0.10.jar:1.0.10]

This issue occurs when there is a difference between Original Thumbprint and the Updated Publisher Library Thumbprint, which is as follows:

Example:

• Original Thumbprint: AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA

• Updated Publisher Library Thumbprint: BB:BB:BB:BB:BB:BB:BB:BB:BB:BB:BB:BB:BB:BB:BB:BB:BB:BB:BB:BB

• Subscriber Library Database Reference: AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA (Mismatch)

Option 2 (For the Content Library, that's already configured):

1. Login to vSphere Client and Navigate to Administration > Content Libraries.
2. Locate the impacted subscribed library > Right-click on it and choose Edit Settings or select the Actions menu.
3. Click OK without modifying any of the existing settings.
4. A red banner would appear with the following message:
   
   "SSL certificate cannot be trusted. The thumbprint of the certificate is: [thumbprint]. Do you want to proceed?"
   
   
5. Click Actions and select Continue to trust the new certificate.
   
   
   
   
6. Click YES to accept the New Thumbprint and click OK.
   
   
   
   

To verify a thumbprint mismatch, perform the following steps:

1. Retrieve the Active Publisher Thumbprint by running the following command from the vCenter SSH to obtain the current SHA1 fingerprint of the Publisher vCenter:
   
   openssl s_client -connect <VC_FQDN>:443 -showcerts </dev/null 2>/dev/null | openssl x509 -noout -fingerprint -sha1
   
   
2. Check the Subscriber Database Configuration by logging into the Subscriber vCenter via SSH as root and access the VMware Postgres database (VCDB):
   
   
   • Access the VCDB, using below command:
     
     /opt/vmware/vpostgres/current/bin/psql -d VCDB -U postgres
     
     
   • Query the Content Library table, using below command:
     
     SELECT * FROM cl_library;
     
     
3. Compare the thumbprint value in the output against the active thumbprint retrieved in Step 1.