If you have used custom certificates and are having problems upgrading VMware VCSA or are having problems trying to perform a backup, you may have a problem with the VMware Update Manager service. VMware's knowledgebase article applies to this issue: https://kb.vmware.com/s/article/2121689.
This procedure should fix the thumbprint mismatch which is causing the problem.
SSH into your VMware vCentre Server Appliance.
ssh root@<HOSTNAME>
If your SSH session doesn't automatically enter a shell run the following.
shell
Run the following command to get the currentl Machine SSL Certificate.
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /tmp/machineSSL.crt
Run the following command to get the SSL trust certificate.
(echo "-----BEGIN CERTIFICATE-----";/usr/lib/vmidentity/tools/scripts/lstool.py list --url https://localhost/lookupservice/sdk --no-check-cert --ep-type com.vmware.cis.cs.identity.sso 2>/dev/null |grep "SSL trust: " |cut -f2 -d: |cut -b2-;echo "-----END CERTIFICATE-----") > /tmp/newcert.crt
Get the thumbprints of the two certificates.
openssl x509 -in /tmp/machineSSL.crt -fingerprint -noout openssl x509 -in /tmp/newcert.crt -fingerprint -noout
If the two thumbprints do not match then you need to perform the following.
/usr/lib/vmidentity/tools/scripts/ls_update_certs.py --url http://localhost:7080/lookupservice/sdk --fingerprint <SECOND_FINGERPRINT> --certfile /tmp/machineSSL.crt --user administrator@vsphere.local --password <PASSWORD>
Start the VMware Update Manager service.
service-control --start vmware-updatemgr