During a VMware Cloud Foundation (VCF) 9.x brownfield import or workload domain integration, the process fails during the precheck phase. This prevents the SDDC Manager from establishing a secure connection with the target vCenter Server."
Could not retrieve trusted root certificates from vCenter <vCenterFQDN>" or "InternalServerError"./var/log/vmware/vcf/domainmanager/domainmanager.log shows the following errorDEBUG [c.v.e.s.e.h.LocalizableRuntimeExceptionHandler,http-nio-127.0.0.1-7200-exec-5] Processing localizable exception Could not retrieve trusted root certificates from vCenter <vCenterFQDN>.
ERROR [c.v.e.s.e.h.LocalizableRuntimeExceptionHandler,http-nio-127.0.0.1-7200-exec-5] FAILED_TO_RETRIEVE_VC_TRUSTED_ROOT_CERTS Could not retrieve trusted root certificates from vCenter <vCenterFQDN>.
Caused by: org.springframework.web.client.HttpServerErrorException$InternalServerError: 500 : "{"errorCode":"CERT_VALIDATION_ERROR","arguments":[],"message":"Error while validating certificate","causes":[{"type":"java.security.cert.CertificateExpiredException","message":"NotAfter: <cert expiry date>"}],"referenceToken":"#######"}"
/var/log/vmware/vcf/lcm/lcm.log shows the following error:
WARN [c.v.v.s.config.TrustAllTrustManager,http-nio-127.0.0.1-7100-exec-13] Trusting server[o.b.jsse.provider.ProvTlsClient,http-nio-127.0.0.1-7100-exec-13] [client #1964 @4b######0] established connection with vcsa.example.com:443
[c.v.v.l.a.a.ActivityLoggingInterceptor,http-nio-127.0.0.1-7100-exec-22] {"username":"vcfsvcs","timestamp":"Date.time","clientIP":"127.0.0.1","userAgent":"Swagger-Codegen/1.0.0/java","api":"/v1/resource-functionalities/global","httpMethod":"GET","httpStatus":200,"operation":"Get Resource Functionalities Allowed Global Configuration","remoteIP":"127.0.0.1","duration":1}[c.v.e.s.a.u.a.r.CertificateController,http-nio-127.0.0.1-7100-exec-21] Add Certificate to truststore
ERROR [c.v.e.s.e.h.LocalizableRuntimeExceptionHandler,http-nio-127.0.0.1-7100-exec-21] CERT_VALIDATION_ERROR Error while validating certificate
Caused by: java.security.cert.CertificateExpiredException: NotAfter: <Cert expiry date>
VCF 9.x
The SDDC Manager cannot establish a secure handshake with the vCenter Server due to one of the following:
Prerequisites
Step 1: Clean the vCenter Trusted Root Store
Identify and remove expired CA certificates from the vCenter TRUSTED_ROOTS store:
Step 2: Purge the SDDC Manager Internal Truststore
KEY=$(cat /etc/vmware/vcf/commonsvcs/trusted_certificates.key)keytool -list -v -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store -storepass $KEYkeytool -delete -alias [ALIAS_NAME] -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store -storepass $KEYStep 3: Refresh and Retry
curl -X POST localhost/appliancemanager/trustedCertificates/refresh