So I just had to renew my letsencrypt certificate for my VCSA and ran into a few issues and I wanted to write them down here, so I will go through creating the cert and adding it to your VCSA in the below blog post.
I will assume you have certbot only installed on your machine
Let’s create our cert
certbot certonly -d myservice.domain.com --manual --preferred-challenges dns --agree-tos -m email@example.com
Of course make changes as needed from the above command, then follow the instructions to add a TXT record to your DNS provider
Now comes the tricky bit of assemblying the certificate in a way that your VCSA will accept it and not choke, the below blog helped out quite a bit.
Download Chain of Trust
Copy the contents of the intermediate .pem and then the root .pem into the above file, this will be your new fullchain pem file. Now under __MACHINE_CERT click ACTIONS > Replace vCenter Server Certificate
Select like the above example
Now point to your cert1.pem file and place that in the Machine SSL Certificate and then in the Chain of trusted root certificates point that to your new fullchain-vcsa.pem file that we created, and then the last one is self explanatory either point to or copy in your private key, and if you did everything correct you should get a message that services are being restarted and once everything comes back up you should have your new cert.