• REPO_SYNC is failing on one or more NSX Manager(s).
• Certificates have expired on NSX Manager(s).
• The following snippets are seen in /var/log/syslog

<Timestamp> [Manager Name] NSX 1366540 - [nsx@6876 comp="nsx-manager" subcomp="curl_wrapper" username="uproton" level="INFO"] Calling '/opt/vmware/nsx-common/python/nsx_utils/curl_wrapper', '--silent', '--head', 'https:/[Manager FQDN]:443/repository/4.1.2.1.0.22667789/Manager/dry_run/dry_run.py', '--show-error', '--thumbprint', '##########'
<Timestamp> [Manager Name] NSX 1366540 - [nsx@6876 comp="nsx-manager" subcomp="curl_wrapper" username="uproton" level="INFO"] Trying (with httpLib)[Manager FQDN]:443...
<Timestamp> [Manager Name] NSX 1366540 - [nsx@6876 comp="nsx-manager" subcomp="curl_wrapper" username="uproton" level="INFO"] Calling 'openssl', 's_client', '-showcerts', '-servername', '########', '-connect', [Manager FQDN]:443'
<Timestamp> [Manager Name] NSX 1366540 - [nsx@6876 comp="nsx-manager" subcomp="curl_wrapper" username="uproton" level="INFO"] certificate verification 717157c###############################################dbab595 from [Manager FQDN]:443 failed: certificate has expired


or as below in /var/log/proton/nsxapi.log

<Timestamp> [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Sending POST request to api/v1/cluster/node?action=repo_sync with message: null
<Timestamp> [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="manager"] Certificate expired for CN=<Hostname of Manager>,OU=NSX,O=VMware Inc.,L=Palo Alto,ST=CA,C=US
<Timestamp> [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] checkServerTrusted: CN=<Hostname of Manager>,OU=NSX,O=VMware Inc.,L=Palo Alto,ST=CA,C=US for authType=ECDHE_RSA failed: Certificate expired for CN=<Hostname of Manager>,OU=NSX,O=VMware Inc.,L=Palo Alto,ST=CA,C=US
<Timestamp> [nsx@6876 comp="nsx-manager" errorCode="MP31815" level="ERROR" subcomp="manager"] TLS Error in rest call url= /api/v1/cluster/node?action=repo_sync , method= POST , response= null , error= [{"errorMessage":"TLS handshake failed","errorData":{"errorCode":"503"}}]
org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://<IP of manager>/api/v1/cluster/node": Certificate expired for CN=<Hostname of Manager>,OU=NSX,O=VMware Inc.,L=Palo Alto,ST=CA,C=US; nested exception is javax.net.ssl.SSLHandshakeException: Certificate expired for CN=<Hostname of Manager>,OU=NSX,O=VMware Inc.,L=Palo Alto,ST=CA,C=US

or also in /var/log/proton/nsxapi.log

<Timestamp> INFO RepoSyncThread-1749803295755 RepoSyncFileHelper 3806208 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Command to get server info for https://<Manager IP>:443/repository/4.1.2.3.0.23382408/HostComponents/esx70/nsx-esx-postcheck returned result CommandResultImpl [commandName=null, pid=3138859, status=FAILED, errorCode=60, errorMessage=curl_wrapper: (60) certificate has expired

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

VMware NSX
VMware NSX-T Data Center

Expired API certificates on the NSX Manager could result in the failure of the REPO_SYNC process.

Replace expired certificates on NSX Manager with the help of the Replace Certificates Through API, or the CARR script if the certificates are self-signed.

• After replacing the expired certificates, fix the REPO_SYNC status following the below steps:

  1. Navigate to System > Appliances in the NSX Manager UI.

  2. On the NSX Manager node, select view details.

  3. Check for the REPO_SYNC status.

  4. If it's in a failed state, click the Resolve option next to the REPO_SYNC status.

• Note: If the REPO_SYNC is still in failed state, even after following the above steps, please refer the following documentation for alternate methods: After replacing Managers or while running Upgrade prechecks, Repo_Sync is Failed.