• VMware Cloud Foundation
• vCenter Server 8.0.x
• SDDC Manager

An ESXi host that was previously removed from SDDC Manager was not properly removed from the vCenter Server inventory. This orphaned host retains a legacy certificate utilizing the deprecated SHA-1 signature algorithm. vSphere 8.0 strictly enforces security standards that prohibit weak signature algorithms. The presence of this non-compliant certificate in the vCenter inventory triggers the validation failure during the SDDC Manager precheck.

1. Log in to the SDDC Manager UI.

2. Navigate to Inventory > Hosts.

3. Review the list of active hosts managed by SDDC Manager for the target workload domain.

4. Log in to the vSphere Client for the target vCenter Server.

5. Compare the vCenter Server host inventory against the SDDC Manager host inventory.

6. Identify any ESXi hosts present in the vCenter Server inventory that are missing from the SDDC Manager inventory. These represent the orphaned hosts causing the validation failure.

7. Manually remove the affected orphaned ESXi host(s) from the vCenter Server inventory.

8. Rerun the SDDC Manager precheck for the vCenter Server patch. The precheck passes once the non-compliant certificate is removed from the inventory scope.

Note: Check and verify the host is decommissioned and holds no active workloads before removal, e.g. A host must be disconnected or placed in Maintenance Mode before it can be removed from the inventory.

• vSphere 8.0 removes support for certificates with weak signature algorithms (such as SHA-1). All objects within the vCenter Server inventory must comply with these security standards before lifecycle management operations can proceed.
• Upgrading vCenter Server or ESXi 8.0 fails during precheck due to a weak certificate signature algorithm