• When attempting to import an OVA file into a vCenter Content Library via HTTPS (with or without a proxy), the process fails with the following error: 

vmware content library http request error: internal_error(80); certificate chain longer than maximum (10)

• The following entry may be observed in the /var/log/vmware/content-library/cls.log:
  
  DEBUG | ... | ContentLibraryActivityCallback | vapi opId: ... - setting result with value ProbeResult ... status = UNKNOWN_ERROR, errorMessages = [LocalizableMessage ... defaultMessage = HTTP request error: internal_error(80); Certificate chain longer than maximum (10).]

VMware vCenter Server

• vCenter Content Library has a hard-coded security limit that rejects SSL/TLS connections where the certificate chain presented by the remote server exceeds 10 certificates.
• In this scenario, the source repository server is presenting an improperly configured certificate chain. This often occurs when administrators append new certificates to the server's configuration file (e.g., server.crt or ca-bundle.crt) without removing the old entries, leading to multiple copies of the same root or intermediate certificates being sent in a single handshake.
• The following steps can be used to confirm the cause of the issue and verify the chain length:
  • From a Linux machine with network access to the repository, run the following command to count the certificates being presented:
    • openssl s_client -connect <server_fqdn>:443 -showcerts (Note: If using a proxy, add the -proxy <proxy_fqdn>:<port> flag.)
  • Count the number of blocks beginning with -----BEGIN CERTIFICATE-----. If the count is 11 or higher, vCenter will reject the connection.

• The certificate chain on the source repository server must be cleaned up to ensure it contains only the necessary valid certificates (Leaf, Intermediate, and Root), staying well below the limit of 10.

Manually validating custom certificate chain KB