Hi, Inspect your certificate chain. You need to have all certificates in chain in vmware trusted store to be able to verify the certificate even though vCenter trusts them, LCM/VUM is more picky. Once all relevant certificates are imported to vCenter trusted root certificates store, Lifecycle manager starts working again.
If you run openssl s_client against vCenter with ZeroSSL certificate, you could see the chain provided:
0 s:/CN=...thevcenter...
i:/C=AT/O=ZeroSSL/CN=ZeroSSL RSA Domain Secure Site CA
1 s:/C=AT/O=ZeroSSL/CN=ZeroSSL RSA Domain Secure Site CA
i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
ZeroSSL RSA Domain Secure Site CA / USERTrust RSA Certification Authority - You would find them eg in chain.cer received through ACME, or by xca from fullchain, etc. (but you probably have it already there at this point)
It's not visible here, but also SHA-2 Root USERTrust RSA Certification Authority - was needed to be downloaded from ZeroSSL KB/site and appended to chain to be able to install ZeroSSL certificate to vCenter (so you probably have it there).
But the last important is Comodo CA Limited/CN=AAA Certificate Services. vCenter itself works fine without this one, but as it's used to cross sign the USERTRUST cert, LCM/VUM needs to have it and it's missing, so import this one as well. It could be grabbed eg through eg https://ssl-tools.net or grepping it from The Mozilla CA certificate store (see below).
You should be ok at this point, but if it's still not working, look also for workaround section of: https://kb.vmware.com/s/article/74844 . If still not working after that you could look on couple of interesting files but seems they have no impact on LCM:
1) /usr/lib/vmware-updatemgr/bin/ssl/vmware-vum.keystore
Inspecting this (using java keytool) reveals the LCM/VUM already has stored the machine certificate into it's keystore even though it does not trust it.
2) /usr/lib/vmware-updatemgr/bin/RootCert.pem
Seems format is just export of the
"openssl x509 -in certificate.pem -text -fingerprint" with headers, and I guess it's the The Mozilla CA certificate store in
PEM format.
Good luck