• You recently upgraded NSX-T to 4.1.1 or above.
• You have an LDAPS server configured.
• After the upgrade the LDAPS server connection is in a failed state.
• In the VMware NSX manager /var/log/syslog and /var/log/proton/nsxapi.log, you see errors similar to the below:

WARN http-nio-127.0.0.1-7440-exec-2 CdpCrlChecker 4477 SYSTEM [nsx@6876 comp="nsx-manager" level="WARNING" reqId="xxxxxxxx-dbca-4718-ba7f-xxxxxxxxxxxx" subcomp="manager" username="admin"] CRL CN=XXXXXX,DC=XXXXXX,DC=XXXXXX,DC=XXX is signed with OID 1.2.840.113549.1.1.10

VMware NSX-T Data Center
VMware NSX 4.x

AlgorithmId.sha256WithRSAEncryption_oid ( 1, 2, 840, 113549, 1, 1, 11)
AlgorithmId.sha256WithDSA_oid (2, 16, 840, 1, 101, 3, 4, 3, 2)
AlgorithmId.sha256WithECDSA_oid (1, 2, 840, 10045, 4, 3, 2)
AlgorithmId.sha384WithECDSA_oid (1, 2, 840, 10045, 4, 3, 3)
AlgorithmId.sha384WithRSAEncryption_oid (1, 2, 840, 113549, 1, 1, 12)
AlgorithmId.sha512WithECDSA_oid (1, 2, 840, 10045, 4, 3, 4)
AlgorithmId.sha512WithRSAEncryption_oid (1, 2, 840, 113549, 1, 1, 13)

None, this issue is due to incorrectly signed CRL certificate, which are not supported by VMware NSX.

Workaround:

You can disable CRL checking, which will prevent the connection from failing when checking the CRL of the certificate used by the LDAPS server.

Use the API call: 

GET https://{{ip}}/policy/api/v1/infra/security-global-config

And change the value for "crl_check_enabled" from true to false and USE the returned data, with edit in the following POST API call:

PUT https://{{ip}}/policy/api/v1/infra/security-global-config