Symptoms:

• Certificates of the vCenter Server were changed (e.g. machine certificate or STS certificate).
• Reconciliation of TKGS cluster is failing.
• The nsx-ncp pods remain stuck in "Init" state:

• NSX-NCP pods might be constantly crashing/restarting and be in CrashLoop BackOff state.
  • Verifiable via kubectl, e.g. kubectl describe pod/nsx-ncp-[UNIQUE ID] -n vmware-system-nsx
• Logs on the supervisor cluster in /var/log/pods/ indicate issues that certificate is not trusted. Logs might be similar to:
  • (Logs can also be checked via kubectl, e.g. kubectl logs pod/nsx-ncp-[UNIQUE-ID] -n vmware-system-nsx)

VMware vCenter Server 8.0.x
VMware vCenter Server 7.0.x

After vCenter certificates were replaced (especially machine certificate and STS certificate), NSX Manager expectedly loses trust with vCenter Server. Due to the certificate changing, NSX Manager cannot differentiate between an expected certificate change or a malicious attempt (e.g. Man-in-the-middle attack) and refuses to further communicate with the vCenter API for security reasons.

Manually re-establishing trust with validation of the certificate thumbprint is required to re-establish the trust relationship and connectivity between both components.

For re-establishing trust between NSX Manager and its Compute Manager (vCenter), please follow 'Resolution' outlined in this KB article: After VMware vCenter Server certificate is replaced, compute manager connection is "Down" on NSX UI.

When this is performed, NSX-NCP pods on the Supervisor Cluster should re-establish connectivity after some minutes automatically. If not, please involve VMware Support with reference to this KB article.

Impact/Risks:
The reconciliation of TKGS cluster is failing. As this is usually caused due to broken trust relationship between NSX Manager and vCenter Server, it might have a broader impact which involve both components - such as pods creation failing, changes to network policy, etc.