The "tkgi login" command might fail with "Error: Credentials were rejected, please try again" even when the correct credential is provided. For example,

$ tkgi login -a <TKGI API server FQDN or IP>  -u admin -p <correct password> -k

Error: Credentials were rejected, please try again.

• Tanzu Kubernetes Grid Integrated Edition

tkgi CLI will verify the hostname contained in the TLS certificate returned from TKGI API server against the TKGI API endpoint specified on command line. If they don't match, the tkgi CLI would complain ""Error: Credentials were rejected, please try again". 

Get Certificate to secure the TKGI API property configured on Settings page of Tanzu Kubernetes Grid Integrated Edition tile ("TKGI API" pane) and check "Subject Alternative Name" field for the TKGI API hostname. Then use that hostname as the TKGI API endpoint to run "tkgi login" command. 

If you want to use a different hostname from the one in the certificate, provide a new certificate containing desired hostname to Certificate to secure the TKGI API property and configure API Hostname (FQDN)  property to same new hostname on Settings page of Tanzu Kubernetes Grid Integrated Edition tile followed by "Apply Changes" against the tile. 

The new certificate could be a custom one or regenerated on tile Settings page as shown in below image.