This is not a bug and NSX-T is working as expected.
Workaround:
The following needs to be done whenever certificates are changed on the controller with a non well known CA:
1. Export the root CA certificate from the ALB and save onto the NSX manager.
2. Run the below commands as root from the NSX-T Manager CLI where <ca-file-path> is to location of the certificate uploaded in step 1:
a. keytool -importcert -alias startssl -keystore /usr/lib/jvm/jre/lib/security/cacerts -storepass changeit -file <ca-file-path>
If the above path is not found, please use the command below:
b. keytool -importcert -alias startssl -keystore /usr/java/jre/lib/security/cacerts -storepass changeit -file <ca-file-path>
c. sudo cp <ca-file-path> /usr/local/share/ca-certificates/
d. sudo update-ca-certificates
e. service proton restart
3. Log into the NSX-T UI and confirm the ALB page is now loading as expected