VCF Operations 9.0.2 to 9.1 upgrade is failing due to the VCFMS software depot's inability to sync metadata with the configured offline depot. Although the depot configuration status shows green, attempting to sync metadata results in an endless loading icon, eventually failing with a "Last Sync Time: NA" status.

Analysis of the fleet-upgrade-service console logs identified a 502 Bad Gateway error during the download of productVersionCatalog.json. 

Log evidence from the fleet-upgrade-service confirms the exact failure point: tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead. This specific error message indicates that while the VCFMS service can reach the depot (hence the "Green" configuration status which likely only checks basic connectivity or initial trust), it cannot complete the handshake for secure file transfer without a modern certificate structure

VCF 9.1

Certificates lacking SAN data are treated as invalid, causing the secure connection between VCFMS and the depot content gateway to fail.

To resolve the sync failure, regenerate the certificate for the offline depot and ensure it includes the Subject Alternative Name (SAN) field containing the FQDN and/or IP of the depot server. Once the new certificate is generated and installed on the offline depot, VCFMS must be updated to trust the new certificate.
By including the server's identity in the SAN field, the TLS handshake completes successfully, allowing the fleet-upgrade-service to download the version catalog metadata and proceed with the upgrade path.