• The ESXi host will get disconnected after a random time period.

• vCenter Server reports configuration issues on the summary tab of the host :

  Disconnected from host.example.com in DataCenter. Reason :
  Cannot verify the SSL thumbprint.Cannot synchronize host host.example.com. Authenticity of the host's SSL certificate is not verified.

• It is possible to reconnect ESXi to vCenter, which will require reentering credentials. 

• Regenerating the SSL certificates will not solve the issue.

• Restarting the management services on the ESXi host does not solve the issue.

• vCenter - /var/log/vmware/vpxd/vpxd.log shows this task when the host is disconnected:

  [yyyy-mm-ddThh-mm-ss info 'App'] [VpxdMoHost::DisconnectInt] Marked example.example.com as dirty.
  
  

•  The vpxd.log reports a SSL handshake certificate verification failure :

  [yyyy-mm-ddThh-mm-ss error 'App'] [0] error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
  
  The vpxd.log may report the below certificate comparision :
  [yyyy-mm-ddThh-mm-ss warning 'Libs'] SSLVerifyCertAgainstSystemStore: Subject mismatch: Random Root CA vs host.example.com

VMware vCenter Server

VMware vSphere ESXi

• Observation:
  vCenter may sometimes use the correct FQDN during the handshake process, which keeps the host connected.
  However, random disconnections can still occur due to certificate mismatches.

• Solution Steps:

  • Check the network for any duplicate IP addresses.

  • Disconnect or change the host’s IP address and test access using the previous IP.

  • Add the host entry to the vCenter Server’s hosts file to ensure correct name resolution.

  • Use the "random root CA" seen in the certificate chain as a clue to search for matching entries in the vCenter—this can help determine the root cause.