• When performing a brownfield import of an existing vCenter Server into a VMware Cloud Foundation 9.0 environment to create a Workload Domain (WLD), the process fails during the Certificate Thumbprint stage.
• The VCF Operations UI displays the error: Failed to retrieve the thumbprint [HOSTNAME] at  "Certificate Thumbprint" stage during WLD Import
• A curl -vk https://<Host.example.com>:443 command from the SDDC Manager to the vCenter Server results in a Connection reset by peer failure during the TLS handshake.

   Host ###### : 443 was resolved.
  * IPv6: (none)
  * IPv4: ##.##.##.##
  Trying ##.##.##.## : 443 ...
  * ALPN: curl offers http/1.1
  * TLSv1.3 (OUT), TLS handshake, Client hello (1) :
  * Recv failure: Connection reset by peer
  * TLS connect error: error : 00000000 :lib (0) : :reason (0)
  * OpenSSL SSL_connect: Connection reset by peer in connection to ###### : 443
  * closing connection #0
  curl: (35) Recv failure: Connection reset by peer

• An openssl s_client connection attempt returns write: errno=104 and no peer certificate available, indicating an immediate connection reset.

  root@sddc [/] } # openssl s_client -- connect < vcenter.example.com>. int: 443
  
  CONNECTED (00000003)
  write: errno=104
  ---
  
  no peer certificate available
  
  No client certificate CA names sent
  
  SSL handshake has read 0 bytes and written 312 bytes
  Verification: OK
  
  New, (NONE), Cipher is (NONE)
  Secure Renegotiation IS NOT supported
  Compression: NONE
  Expansion: NONE
  No ALPN negotiated
  Early data was not sent
  Verify return code: 0 (ok)

VMware Cloud Foundation 9.x

• This issue is typically caused by a physical firewall or network inspection engine situated between the SDDC Manager and the vCenter Server subnet.
• The network security device actively drops the connection during the TLS handshake, preventing the SDDC Manager from retrieving the vCenter certificate chain required for thumbprint verification.

To resolve this issue, work with your network or security team to ensure bidirectional communication is permitted between the SDDC Manager and the vCenter Server.

1. Verify Port Requirements: Ensure port 443 (HTTPS) is open and not subject to TLS/SSL inspection that could disrupt the handshake.
2. Review Network blocks: Reach out to networking team to check for active blocks between the SDDC Manager and vCenter Server IPs
3. Resume Import: Once connectivity is confirmed, retry the brownfield import task from the VCF Operations UI.

For a comprehensive list of required ports for VCF brownfield operations, refer to the VMware Ports and Protocols tool