When upgrading or patching a vCenter Server Appliance to version 8.x, the patch installation encounters a fatal error during the execution of component post-install hooks, resulting in a failure at 80% completion.

The /var/log/vmware/applmgmt/PatchRunner.log file logs a failing execution sequence specifically targeting the trustmanagement:Patch script execution:

YYYY-MM-DDTHH:MM:SS Z trustmanagement:Patch INFO patch_03 Fetching service Info for the Trustmanagement from Lookup Service 
YYYY-MM-DDTHH:MM:SS Z trustmanagement:Patch INFO patch_03 Adding Endpoint and Syncable property to Trustmanagement 
YYYY-MM-DDTHH:MM:SS Z trustmanagement:Patch INFO patch_03 Adding Subscribable  property to Trustmanagement 
YYYY-MM-DDTHH:MM:SS Ztrustmanagement:Patch INFO patch_03 Endpoint Url for gRPC endpoint: https://vcenter-fqdn:4000 
YYYY-MM-DDTHH:MM:SS Z trustmanagement:Patch ERROR patch_03 Failed to reregister TrustManagement with Lookup Service 
YYYY-MM-DDTHH:MM:SS Z trustmanagement:Patch ERROR vmware_b2b.patching.executor.hook_executor Patch hook 'trustmanagement:Patch' failed.
Traceback (most recent call last):
  File "/storage/updatemgr/software-update5cn9u4lu/stage/scripts/patches/py/vmware_b2b/patching/executor/hook_executor.py", line 74, in executeHook
    executionResult = systemExtension(args)
...
  File "/usr/lib/vmware/site-packages/pyVmomi/SoapAdapter.py", line 1607, in InvokeMethod
    raise obj  # pylint: disable-msg=E0702
pyVmomi.VmomiSupport.vmodl.fault.InvalidArgument: (vmodl.fault.InvalidArgument) {
   dynamicType = <unset>,
   dynamicProperty = (vmodl.DynamicProperty) [],
   msg = '',
   faultCause = <unset>,
   faultMessage = (vmodl.LocalizableMessage) [],
   invalidProperty = 'Invalid certificate'
}

VMware vCenter Server 8.x

During execution of the component patch, the installer attempts to update and re-register the endpoints of the internal TrustManagement service to establish communication paths over port 4000 via the Lookup Service.

The registration task is explicitly rejected by the Lookup Service with a vmodl.fault.InvalidArgument fault referencing invalidProperty = 'Invalid certificate'. This behavior occurs because old, duplicate, or mismatched SSL trust anchors present within the Lookup Service in the SSO domain.

Before any changes are made please take offline snapshots of the vCenter and all other vCenters that are in ELM in the SSO domain.

1. Download the lsdoctor tool attached to the bottom of the KB 320837
   
   
   
2. Run the following command to list for common issues in the lookup service.  Does not make any changes to the environment.  This will show issues found on any node in the SSO domain. It should show SSL Trust Anchor issues within the Lookup Service that need to be fixed.
   
   

   python lsdoctor.py -l

3. We then need to resolve the issues in the lookup service by running the following command. You will be first asked if the offline snapshots have been taken on all nodes in the SSO domain. 
   
   

   python lsdoctor.py -t

    

4. Restart the vCenter Services
   
   

   service-control --stop --all && service-control --start --all

5. Retry the upgrade.

https://knowledge.broadcom.com/external/article/320837/using-the-lsdoctor-tool.html