I had previously switched back to VMCA self-signed certs so I could at least make LM work until I found a fix. Went to go put back on my external signed certs to get you logs but decided to put them back on by generating a CSR from vCenter, then using that CSR to get signed certs from namecheap again and add those in from Web UI. It only asked for signed cert and ca bundle since private key is already in VCSA I guess because it generated the CSR. It rebooted VCSA services and now LM works with the external signed certs, at least so far I haven't gotten any errors.

I am guessing the problem has to do with my original certs having been made completely independent of vCenter, using openssl. Which seems like a bug to me, since those certs worked fine with 6.7 and there is no indication that certs have to be first generated from vCenter, especially because there is an option to import certs like that (it asks for signed cert, ca bundle, and private key).