Unable to install NSX on the ESXi transport node and receiving the following error message:

Failed to install software on host. NSX Manager <hostname> has an invalid API certificate. Error: (60) curl_wrapper failed to verify the legitimacy of the server because the given thumbprint 8e############################## did not match the certificate’s 74##############################. Fix the certificate issue on NSX Manager and retry the operation.

VMware NSX

This issue can occur when the DNS server used by the ESXi host resolves the NSX Manager’s IP address to an incorrect FQDN such as one that points to a different system instead of the NSX Manager FQDN. 

1. Verify the NSX Manager API certificate thumbprint:

   Log in to the NSX Manager node in admin mode and run the following command to confirm the expected API certificate thumbprint:
   
   get certificate api thumbprint
   
   If the ESXi host is receiving an API certificate thumbprint that belongs to a different system instead of the NSX Manager, the installation will fail with a certificate mismatch error.

2. Validate DNS resolution from the ESXi transport node:

   Perform an nslookup on the ESXi transport node for the NSX Manager IP address to ensure the DNS server resolves it to the correct NSX Manager FQDN and not to another system. If the nslookup results show incorrect or duplicate DNS entries for the NSX Manager IP, coordinate with the appropriate internal team to update and correct the DNS server records.

3. Retry the NSX installation:

   After the DNS entries have been corrected and the ESXi host resolves the NSX Manager FQDN properly, retry the NSX installation.