After renewing or replacing the SSL certificate on a vCenter Server that is registered as a Compute Manager in NSX-T, it is observed that the vCenter Compute Manager fails to register or maintain a healthy connection with NSX.

VMware NSX-T Data Center
VMware vCenter Server

The primary cause is that the vpxd service within the vCenter Server Appliance is still utilizing the old, expired, or replaced SSL certificate, even though the main HTTPS service (rhttpproxy) might be presenting the new, valid certificate. This internal inconsistency leads to a thumbprint mismatch when NSX attempts to validate the vCenter's certificate for the Compute Manager connection, resulting in registration failures.

- From the logs, we can see the same thumbprint being used on NSX and we still see that the certificate being expired.

cm-inventory.log

"/cm-inventory/api/v1/fabric/compute-managers": {
    "result_count": 1,
    "results": [
      {
        "_create_time": <timestamp>,
        "_create_user": "system",
        "_last_modified_time": <timestamp>,
        "_last_modified_user": "<username>",
        "_protection": "NOT_PROTECTED",
        "_revision": 30,
        "access_level_for_oidc": "FULL",
        "create_service_account": false,
        "credential": {
          "credential_type": "UsernamePasswordLoginCredential",
          "thumbprint": "20:E3:xx:xx:xx:xx:xx:xx:xx:xx:xx:7B:74:49:4F:EC:CC:94" <<< New certificate thumbprint
        },
        "description": "",
        "display_name": "<vCenter_name>",
        "id": "8bd1####-####-####-####-####67fd5b4e",
        "multi_nsx": false,
        "origin_properties": [
          {
            "key": "fullName",
            "value": "VMware vCenter Server 8.0.3 build-24305161"
          },

           "key": "instanceUuid",
            "value": "5429####-####-####-####-####b5c41eae"
       "origin_type": "vCenter",
        "resource_type": "ComputeManager",
        "reverse_proxy_https_port": 443,
        "server": "<vCenter_name>",
        "set_as_oidc_provider": true

status:

  "/cm-inventory/api/v1/fabric/compute-managers/8bd1####-####-####-####-####67fd5b4e/status": {
    "connection_errors": [
      {
        "error_code": 0,
        "error_message": "Compute Manager <vCenter_name> certificate is expired. Please renew it and edit Compute Manager to update its thumbprint in NSX.",
        "timestamp": <timestamp>
      }
    ],
    "connection_status": "DOWN",
    "last_sync_time": <timestamp>,
    "oidc_end_point_id": "2dbee45######################################2803f5f361f7",
    "registration_errors": [
      {
        "error_code": 90325,
        "error_message": "Failed to remove NSX ownership due to error Error in rest call. url= nsxapi/api//v1/managed-objects/lcm/nsx-ownership/8bd1####-####-####-####-####67fd5b4e?action=clear , method= PUT , response= {\n \"module_name\" : \"common-services\",\n \"error_message\" : \"General error has occurred.\",\n \"details\" : \"java.lang.RuntimeException: com.vmware.vim.vmomi.client.exception.SslException: javax.net.ssl.SSLHandshakeException: Certificate expired for C=US,CN=<vCenter_name>\",\n \"error_code\" : 100\n}\n , error= 500 : \"{<EOL> \"module_name\" : \"common-services\",<EOL> \"error_message\" : \"General error has occurred.\",<EOL> \"details\" : \"java.lang.RuntimeException: com.vmware.vim.vmomi.client.exception.SslException: javax.net.ssl.SSLHandshakeException: Certificate expired for C=US,CN=<vCenter_name>\",<EOL> \"error_code\" : 100<EOL>}<EOL>\" .. Please resolve the error and try again.",
        "timestamp": <timestamp>
      }
    ],
    "registration_status": "REGISTERED_WITH_ERRORS",
    "version": "8.0.3"
  },