• Self-signed appliance certificates do not auto-renew even when the certificates are within the renewal lead time (default 31 days).
• The NSX Manager security configuration confirms automatic_appliance_certificate_renewal_enabled=true.
• The nsxapi.log does not show any entries for "Starting periodic certificate expiration check."
• In a thread dump, the EXPIRED_CERTIFICATE_CHECK_TASK-0 thread is found in a WAITING (parking) state indefinitely.

VMware NSX

This issue occurs because the EXPIRED_CERTIFICATE_CHECK_TASK-0 worker thread becomes stuck in an indefinite wait state during the service initialization following an upgrade. The thread fails to receive its scheduled task and remains idle, preventing the periodic expiration check from executing

To resolve this issue, the proton service must be restarted to re-initialize the certificate check task.

1. Log in to the NSX Manager CLI as root.
2. Restart the proton service: /etc/init.d/proton restart 
3. Perform this action on all NSX Managers in the cluster one by one.
4. Verify the fix by checking /var/log/proton/nsxapi.log for the following entry

    "INFO EXPIRED_CERTIFICATE_CHECK_TASK-0 ApplianceCertificateExpirationCheckTask [nsx@6876 comp="nsx-manager" subcomp="manager"] Starting periodic certificate expiration check."

https://knowledge.broadcom.com/external/article/412015/nsx-selfsigned-certificate-autorenewal.html