• HCX Site Pairing is down and it shows the below error message :
  com.vmware.vchs.hybridity.adapters.https.UntrustedCertificateException: 
PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
  
  
• You would observe the following log entries in the HCX Manager  : /common/logs/admin/web.log


  <timestamps> UTC [https-jsse-nio-127.0.0.1-8443-exec-13, Ent: HybridityAdmin, , TxId: TxId: ####-####-c1c14cfa29b3] WARN  c.v.v.h.inventory.InventoryAdapter- Can not collect resources from the cloud: https://<cloud-hcx-fdqn/ip>
  java.lang.Exception: Remote cloud registration record is invalid
  <timestamps> UTC [https-jsse-nio-127.0.0.1-8443-exec-15, Ent: HybridityAdmin, , TxId: TxId: ####-####-bab2dc88c0db] ERROR o.a.c.c.C.[.[.[.[dispatcherServlet]- Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is com.vmware.vchs.hybridity.adapters.https.UntrustedCertificateException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed] with root cause
  java.security.SignatureException: Signature does not match.
  at java.base/sun.security.x509.X509CertImpl.verify(X509CertImpl.java:456)

• You would observe the following log entries in the HCX Manager  : /common/logs/admin/app.log
  

  <timestamps> UTC [EventingService_SvcThread-19400, Ent: HybridityAdmin, , TxId: ####-####-5f664a34c628] ERROR c.v.v.h.s.e.c.EventingRestClient- Failure on pull events from remote, remote address: <uuid>
  com.vmware.vchs.hybridity.adapters.https.UntrustedCertificateException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
  Caused by: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
  Caused by: com.vmware.vchs.hybridity.adapters.https.CertificateChainException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
  Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
  Caused by: java.security.cert.CertPathValidatorException: signature check failed
  Caused by: java.security.SignatureException: Signature length not correct: got 512 but was expecting 256

VMware HCX 

• This issue can be resolved by following the steps outlined below. This procedure must be performed on your Source (On-Premises) HCX environment.
  Importing Trusted Certificates from a Remote Site
  
  Import Remote Certs:
• • Navigate to Administration > Certificate > Trusted Root Certificates
  • Ensure the root/intermediate CA of the remote site is present.
• Reconfigure the Site Pair: Go to the Site Pairing tab in the HCX UI.
  • Select the affected connection and click Edit.
  • Re-enter the credentials; this often triggers a prompt to "Accept" a new certificate thumbprint.

• Refer docs to Add a Site Pair
• For vSphere-based site pairs, the destination site URL must use a CA signed trusted certificate or be manually trusted on the source HCX system. See Managing CA and Self Signed Certificates.
   
• If the Site Pairing is down, configuration workflows will fail and no migrations can be scheduled from HCX Connector or source Cloud Manager. Existing Network Extension services will remain active indefinitely but no configuration changes can be made on those, except for "unstretch", which can be forced from the target HCX Cloud Manager's side.
• HCX Site Pairing Connectivity Diagnostics
• HCX Site Pairing is disconnected post certificate renewal on Target HCX Cloud