After upgrading VMware NSX-T 3.x to VMware NSX 4.x in a federation environment, error code 606101 may appear for Local Manager sites.

There may have alarms for expired/expiring certificates.

However, after applying the replace_certs.py script, the federation environment may see an error similar to the following screenshot:

There may have similar log entries in syslog:

2024-02-21T16:52:20.684Z  WARN http-nio-127.0.0.1-64440-exec-73 NsxTRestClient 79070 POLICY [nsx@6876 comp="global-manager" level="WARNING" reqId="<UUID>" subcomp="global-manager" username="admin"] ResourceAccessException for REST api GET https://<NSX-LM>/api/v1/sites/self, retry attempt: 1, retries left: 0
org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://<NSX-LM>/api/v1/sites/self": PKIX path building failed: java.security.cert.CertPathBuilderException: Unable to find certificate chain.; nested exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: java.security.cert.CertPathBuilderException: Unable to find certificate chain.
        at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:785) ~[spring-web-5.3.20.jar:5.3.20]
        at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:711) ~[spring-web-5.3.20.jar:5.3.20]

VMware NSX 4.1.x

This is caused by a certificate cache issue. 

Rolling reboot all the NSX Global Manager nodes and Local Manager nodes should resolve this issue as the certs will be updated in the cache.