A fix for PEM files with DOS-style newlines was made in NSX-T 4.1.1.
Workaround:
**It is recommended that backups are confirmed to be in place before making any changes**
Step 1 - Re-import the CA-signed certificate.
- Instead of choosing "Browse" and selecting the certificate PEM file, open the PEM file in a text editor like Notepad and copy-paste the contents into the "Certificate Contents" field.
- Then, copy-paste the certificate's private key into the "Private Key" field. Be sure to un-select the "Service Certificate" option.
- Once the certificate has been imported, note its ID - that will be needed later and will be referred to as "ca-certificate-id"
- Log into any NSX manager node a root and run the following commands that will revert to the self-signed certificates created when the managers were installed.
Step 2 - Determine the node IDs of the three manager nodes.
- These can be obtained from the System -> Appliances page in the NSX UI.
- For each manager node, open the "Details" link and click on the clipboard icon next to "UUID" in the details page. Note the UUIDs of these nodes.
- They will be referred to later as "nsx-mgr1-node_id", "nsx-mgr2-node_id", and "nsx-mgr3-node_id".
Step 3 - Apply the new certificate to the manager nodes and VIP.
- Log into any manager node as root and run the following 4 commands:
curl -X POST -H "x-nsx-username: admin" 'http://127.0.0.1:7440/nsxapi/api/v1/trust-management/certificates/<ca-certificate-id>?action=apply_certificate&service_type=API&node_id=<nsx-mgr1-node_id>'
curl -X POST -H "x-nsx-username: admin" 'http://127.0.0.1:7440/nsxapi/api/v1/trust-management/certificates/<ca-certificate-id>?action=apply_certificate&service_type=API&node_id=<nsx-mgr2-node_id>'
curl -X POST -H "x-nsx-username: admin" 'http://127.0.0.1:7440/nsxapi/api/v1/trust-management/certificates/<ca-certificate-id>?action=apply_certificate&service_type=API&node_id=<nsx-mgr3-node_id>'
curl -X POST -H "x-nsx-username: admin" 'http://127.0.0.1:7440/nsxapi/api/v1/trust-management/certificates/<ca-certificate-id>?action=apply_certificate&service_type=MGMT_CLUSTER'
Step 4 - Restart the reverse proxy service on each manager node.
- Log into each manager node as the admin user and run the comment "restart service http"
Once the correct certificate has been applied, you can delete the bad certificate from the System -> Certificates page in the NSX Manager UI.