Resolution A

• Enable maintenance mode on ESXi host.

To perform it on ESXi Host Client, see Place an ESXi Host in Maintenance Mode in the VMware Host Client
To perform it on vSphere Client, see Place a Host in Maintenance Mode
To perform it by Command Line, see Place a Host in Maintenance Mode using esxcli command

• Back up the SSL certificate being used. 

mv /etc/vmware/ssl/rui.crt /etc/vmware/ssl/rui.crt.bak
mv /etc/vmware/ssl/rui.key /etc/vmware/ssl/rui.key.bak

• Re-generate SSL certificate.

/sbin/generate-certificates

• Restart services to get new SSL certificate to take effect.

services.sh restart

• Now the certificate is reset to ESXi self-signed. Open the browser and visit ESXi Host Client >> "Host" >> "Manage" >> "Security & users" >> "Certificates" to verify the change.
• Exit maintenance mode on ESXi host.
  
  Resolution B
  
  
• It is also possible that the wrong certificate mode is being used by the vCenter.
   

  We need to check the certificate mode being used. This can be verified by checking the value of vpxd.certmgmt.mode on the vCenter server. There are three available modes: VMCA mode, thumbprint mode and custom CA mode. If the ESXi hosts are using one certificate type while the vpxd.certmgmt.mode on the vCenter is set to another, the hosts will fail to connect to vCenter and trigger the error mentioned above.

  To know where exactly you can find this setting, please follow the below tech-doc:

  Change the Certificate Mode
  
  Following the above doc, check the value of value of vpxd.certmgmt.mode . Depending on the type of certificates your ESXis are using , change the value of vpxd.certmgmt.mode on the vCenter accordingly if it has the wrong value.