• When deploying an NSX Manager appliance, or an NSX Edge node, the deployment fails with a timeout.
• Certificates were replaced on the NSX Manager appliance.
• Querying the NSX Manager IP or VIP with curl shows a "SSL_ERROR_SYSCALL" error:
  $ curl https://<NSX_Manager>/
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to <NSX_Manager>
• Querying the NSX Manager IP or VIP with openssl shows a PEM error "unable to load certificate" with "no start line":
  $ echo | openssl s_client -showcerts -connect <NSX_Manager>:443 | openssl x509 -inform pem -noout -text
unable to load certificate
#####:error:#####:PEM routines:PEM_read_bio:no start line:#####:Expecting: TRUSTED CERTIFICATE

The relevant certificate (API or VIP) was imported with undesired characters, such as CR+LF (\n) instead of LF (\n).

This issue is resolved in VMware NSX 4.2, available at Broadcom downloads.

If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB.

Workaround:

Import a new certificate without undesired characters: make sure that there's only LF (\n).

Starting in NSX 4.2, the content of certificates is normalized before being used by the system. The original certificate file remains untouched, so downloading the certificate PEM file will the original content.