During a vCenter Server upgrade, the process fails during certificate validation. The following error is observed in the upgrade logs or UI: Verification of the machine SSL certificate failed due to an invalid trusted root certificate chain. ERROR: [20, 0, 'unable to get local issuer certificate']. Unable to find the root certificate .

Symptoms include:

• Upgrade pre-check failure.

• vSphere Diagnostic Tool (VDT) reporting missing CA certificates.

• Broken certificate trust chain in the VMware Endpoint Certificate Store (VECS).

vCenter Server 8.x

The machine SSL certificate is signed by a Custom CA, but the corresponding root certificate is missing from the TRUSTED_ROOTS store, preventing the installer from validating the certificate chain.

1. Download the vCert utility or use the built-in certificate-manager.

2. Launch the utility on the affected vCenter Server.

3. Select Option 6 (Reset all certificates to VMCA-signed self-signed certificates).

4. Follow the prompts to complete the certificate reset.

5. Restart all services or reboot the vCenter Server.

6. Retry the vCenter Server upgrade.

7. (Optional) After a successful upgrade, re-install Custom CA certificates if required.