Symptoms:
Error encountered when Configuring host for NSX-T: "Failed to install software on host. Invalid host thumbprint <SHA 256 thumbprint>”
1. Verify that SHA certificate thumbprint on host matches what NSX is reporting in UI / logs:
root@host: openssl x509 -in /etc/vmware/ssl/rui.crt -fingerprint -sha256 -noout
2. Verify that host certificate is not expired:
root@host: openssl x509 -in /etc/vmware/ssl/rui.crt -text -noout
3. Check /var/log/syslog or /var/log/proton/nsxapi.log on NSX Manager node for error:
"SSL validation failed for host <IP> because specified thumbprint <SHA 256 thumbprint> does not match host thumbprint <SHA 256 thumbprint>"
Note: If the host thumbprint does not match the openssl output from the host itself (step 1), and it is unclear where NSX is getting that certificate thumbprint, confirm if the host IP in logs matches the IP of the host's VMkernel network adapter interface with the 'Management' service enabled in Port properties. If the 'Management' service is selected for the wrong interface on the host, NSX will verify the host certificate against the wrong IP.