When performing a Reduced Downtime Upgrade (RDU) from vCenter Server 8.0 Update 3g to 3h, the workflow fails and the temporary worker VM is deleted without a specific UI error. Log analysis reveals a failure during the downloadGuestFile process.

The following error is observed in /var/log/vmware/vlcm/vlcm.log: failed for URL... tls: failed to verify certificate: x509: cannot validate certificate for <REDACTED_IP> because it doesn't contain any IP SANs.

vCenter Server 8.0 Update 3

A global proxy configuration intercepts internal traffic to the temporary worker VM, causing a TLS handshake failure because the proxy's certificate lacks the required Subject Alternative Names (SAN).

• Log into the vCenter Server Appliance Management Interface (VAMI) at https://<REDACTED_VCSA_FQDN>:5480.

• Navigate to Networking > Proxy.

• Choose one of the following methods to bypass the proxy:

  • Option A (Temporary): Disable the proxy settings entirely for the duration of the upgrade.

  • Option B (Persistent): Add the VCSA IP address, the temporary worker VM's subnet, the esxi host and the local domain to the No Proxy list.

• Reboot the vCenter Server to ensure the configuration change is propagated.

• Retry the RDU upgrade workflow.