When attempting to rotate TKGi NSX-T Certificates using the steps in KB 330615 the command 'tkgi rotate-certificates <cluster name> --only-nsx' immediately fail with the error "An error occurred in the PKS API when processing".

The pks-api logs will contain error:
"ERROR 16133 — [nio-9021-exec-6] i.p.pks.cluster.CertificateService : Unknown error occurred rotating nsx certs
feign.RetryableException: Received fatal alert: handshake_failure executing GET https://<nsx-t-manager>/api/v1/trust-management/principal-identities"

TKGi versions 1.19 and 1.20.

This issue is caused by the 'no proxy' list not being honored when running the command 'tkgi rotate-certificates <cluster name> --only-nsx'. When TKGi version 1.19 introduced the capability to use the 'tkgi rotate-certificates' command when NSX Manager is behind an HTTP/HTTPS proxy (detailed in the TKGi 1.19 Release Notes found here), the code change did not add a line for the NO-PROXY list. Thus, when communicating with servers like NSX and PKS API the proxy is still being used and resulting in the certificate rotation failing immediately.

This is a known issue that has been resolved by engineering in TKGi version 1.21.

Workaround:
Manually remove the proxy from the configuration file prior to running 'tkgi rotate-certificates <cluster name> --only-nsx'.