In the NSX Manager UI System Overview page, one or more NSX Managers show Repository Sync State in red with error "Sync Failed".
This occurs after at least one NSX Manager has been redeployed.
Your NSX version is 4.2 or later and was upgraded from 4.1.x or earlier.
You are using custom or 3rd party CA certificates for the NSX API and UI access.
In /var/log/syslog you see the error:
NSX 436657 - [nsx@6876 comp="nsx-manager" subcomp="curl_wrapper" username="uproton" level="INFO"] certificate verification <CERTIFICATE UUID> from <FQDN>:443 failed: SSL: no alternative certificate subject name matches target host name '<FQDN>'
NSX 4.2 or later
From NSX version 4.2 and on, the API certificates for the NSX manager nodes is shared with the cluster VIP. In previous versions, manager nodes and the VIP all had their own certificates assigned for API and cluster access.
If you use custom certs for API and cluster access, they generally weren't created with Subject Alternative Names and Subject Alternative IPs (SAN/SAI).
Upgraded NSX managers retain their certificates from older versions, thus each manager still functions as it did previously. However, if a new manager is deployed (to replace a failing manager or change the manager deployment size) the new appliance binds to the cluster VIP certificate. If it does not have a SAN or SAI that matches the node IP, the cert will fail to properly identify the server and the repo sync will fail.
This can be resolved by creating a new certificate for the Cluster VIP, either self signed or via a 3rd party CA, that includes the Subject Alternative Name and Subject Alternative IP for all NSX manager nodes in the cluster.
For details on how to create certificates for NSX services, please refer to the Certificates section of the online documentation.