When installing TKGi, pks-nsx-t-osb-proxy on pivotal-container-service fails with error such as:

pivotal-container-service/######:/var/vcap/sys/log/pks-nsx-t-osb-proxy# tail pks-nsx-t-osb-proxy.stderr.log
2026/02/17 16:55:54 Error building a BOSH director client: Fetching info: Performing request GET 'https://<director IP>25555/info': Performing GET request: Retry: Get "https://<director IP>:25555/info": tls: failed to verify certificate: x509: certificate signed by unknown authority

Ops Manager > Security already has "OpsManager Root CA on BOSH deployed VM" option enabled.

Attempting to manually curl https://<director IP>25555/info' from pivotal-container-service VM succeeds. 

This problem can be caused by proxying of connections from TKGi pivotal-container-service VM. Proxies can interfere with TLS of internal connections.

Verify if environment has proxies configured for TKGi in config file:

pivotal-container-service/######:$ cat/var/vcap/jobs/pks-nsx-t-osb-proxy/config/config.json

If proxies are configured, then add the BOSH director subnet to the No Proxy list in TKGi tile. This option can be found at:

  Ops Manager >
  Tanzu Kubernetes Grid Integrated Edition >
  Networking Pane >
  HTTP/HTTPS Proxy (for vSphere and AWS only) >
  No Proxy

Once added to No Proxy list then re-run Apply Changes and pks-nsx-t-osb-proxy should stop getting certificate errors.