• You may see the below error during NSX upgrade.

Unexpected error while upgrading upgrade unit: Connection error for afbca17e-####-4b1a-####-########5269. javax.net.ssl.SSLHandshakeException: Certificate expired for C=US,CN=########.########.###.com

• There is EAM status down alarm present on NSX UI.

VMware NSX-T 

VMware NSX

SSL connection failure between vCenter and NSX due to vCenter certificate expiry

Check certificate status of vCenter located in Home>Administration>Certificates>Certificate Management 

Follow the below steps if it is expired

1) Renew the VMCA root certificate  Steps to replace MACHINE_SSL_CERT on vCenter server using default VMCA root certificate on vCenter Server UI

2) Update the certificate thumbprint for compute manager in NSX. Refer KB: 323341

3) Verify the EAM status in ESXI using command "service vmware-eam status" and compute manager status in NSX System>fabric>Compute Manager shows healthy.

4) Retry the upgrade.

If you believe you have encountered this issue not able to resolve it, please open a support case with Broadcom Support NSX-T GSS and refer to this KB article. 
For more information, see Creating and managing Broadcom support cases.

NSX Compute Manager 'Connection Status' Down

NSX Compute Manager connection is DOWN with error "Compute Manager certificate is expired