• Virtual machine migrations (vMotion) to a specific ESXi host fail.
• The host may already have other virtual machines running successfully.
• The following error is observed in the nsx-proxy.log on the affected ESXi host: certificate verify failed
• Connectivity tests confirm port 1234 is open, but the TLS handshake fails.

• VMware NSX
• VMware vSphere ESXi

The SSL handshake between the ESXi nsx-proxy service and the NSX Manager nodes is failing because the host possesses an outdated or mismatched APH (Asynchronous Proxy Handler) certificate thumbprint for the Manager. This typically occurs after an NSX Manager API certificate has been rotated or modified, and the update was not successfully synchronized to the Transport Node.

To resolve this issue, manually synchronize the API certificate thumbprint on the affected ESXi host.

Step 1: Obtain the Current API Thumbprint

# Run on the NSX Manager CLI
get certificate api thumbprint

Copy the resulting alphanumeric thumbprint string.

Step 2: Synchronize Certificates on the ESXi Host
This command will make changes to your system. Review it carefully before running.

# SSH into the affected ESXi host and run the following command
# Replace <thumbprint> with the string obtained in Step 1

nsxcli -c sync-aph-certificates username admin thumbprint <thumbprint>

Step 3: Restart the Proxy Service

# Run as root on the ESXi host

/etc/init.d/nsx-proxy restart

Verification
Attempt to migrate a virtual machine to the affected host.

Monitor /var/log/nsx-proxy.log to ensure no further TLS/SSL validation errors are generated.