I would guess that the lookup service is not beeing updated.
Could you try to either replace the Certifcate Using the certificate-manager over SSH or Update the Lookup Service.
If I launch certificate manager from command line on the VCSA and select Option 1 (which I think is what I want here), it says the following, but I am not running vCenter in HA... Only HA is enabled for VMs for my vSAN Cluster.
Certificate Manager tool do not support vCenter HA systems
INFO:root:Certificate Manager tool do not support vCenter HA systems
Interesting, would you be able to provide a log bundle?
I had previously switched back to VMCA self-signed certs so I could at least make LM work until I found a fix. Went to go put back on my external signed certs to get you logs but decided to put them back on by generating a CSR from vCenter, then using that CSR to get signed certs from namecheap again and add those in from Web UI. It only asked for signed cert and ca bundle since private key is already in VCSA I guess because it generated the CSR. It rebooted VCSA services and now LM works with the external signed certs, at least so far I haven't gotten any errors.
I am guessing the problem has to do with my original certs having been made completely independent of vCenter, using openssl. Which seems like a bug to me, since those certs worked fine with 6.7 and there is no indication that certs have to be first generated from vCenter, especially because there is an option to import certs like that (it asks for signed cert, ca bundle, and private key).