• When running "tanzu management-cluster" or "tanzu mc" get or update commands, users see errors like:
  
  Error: unable to ensure prerequisites: unable to ensure tkg BOM file: failed to initialize the BOM registry to download default bom files : failed to initialze registry client: Adding CA certificates from '/root/registry_certs': failed
  
  
• The environment is built with a custom Image Registry
• The TKG_CUSTOM_IMAGE_REPOSITORY_CA_CERTIFICATE environment variable has been added according to the Install Harbor Image Registry section of the TKG Air-Gapped Environment deployment steps.

This error is caused by an incorrectly configured or encoded TKG_CUSTOM_IMAGE_REPOSITORY_CA_CERTIFICATE environmental variable in TKG Air-Gapped environments.

Review the TKG_CUSTOM_IMAGE_REPOSITORY_CA_CERTIFICATE value configured on the TKGm jumpbox VM to ensure it is configured in a valid format:

1. Run the following command to gather environment variables related to TKG:
   
   env | grep TKG
   
   
2. Copy the base64 encoded value after TKG_CUSTOM_IMAGE_REPOSITORY_CA_CERTIFICATE= and use base64 to decode it:
   
   echo <ENCODED_STRING_FROM_STEP_1> | base64 -d
   
   
3. Ensure the decoded certificate hash is valid and formatted correctly:
   
   echo <ENCODED_STRING_FROM_STEP_1> | base64 -d | openssl x509 -noout -text

Ensure the certificate has starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----. There should be 5 hyphens before and after each entry with no spaces and the cert hash pasted in between.