The CARR script to renew NSX system certificates fails to execute with authentication error to peer NSX Manager IP. The failure is caused by authentication issues preventing communication between NSX Manager nodes within the cluster. SSH access to peer NSX Manager nodes is inaccessible for both the 'admin' and 'root' accounts.

Analysis of the carr.log created during the failed attempt confirms explicit authentication errors when the 'admin' user attempts to authenticate to peer NSX Manager nodes. Manual SSH login attempts to the affected manager nodes using 'admin' and 'root' credentials fail.

The NSX Manager credentials have expired or become desynchronized across the NSX Manager cluster

If the NSX Managers are standalone (not VCF/SDDC deployed) you should be able to reset the passwords using the steps in the NSX Admin guide - resetting passwords on an appliance 

If the NSX Managers are SDDC deployed, the passwords will need to be reset from the SDDC Manager UI.

• Log in to the SDDC Manager UI.
• Navigate to Administration > Security > Password Management.
• Filter or locate the NSX Manager component associated with the affected Workload Domain.
• Execute the password update/rotation workflow for the NSX 'admin' and 'root' credentials.
• Verify the password rotation task completes successfully in the SDDC Manager tasks pane.

Using Certificate Analyzer, Results and Recovery (CARR) Script to fix certificate related issues in NSX