Error: "Could not connect to one or more vCenter Server Systems" in the vSphere Client

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

The VMware vSphere Client displays the below error:
Failed to verify the SSL certificate for one or more vCenter Server Systems: https://<vCenter-FQDN-Or-IP>:443/sdk
Could not connect to one or more vCenter Server Systems: https://<vCenter-FQDN-Or-IP>:443/sdk
Objects such as host or virtual machines are not displayed in the vSphere Web Client

Environment

VMware vCenter Server 7.0
VMware vCenter Server 8.0

Cause

This issue occurs in these situations when using Enhanced Linked Mode:

Another vCenter Server in the Single Sign-On (SSO) domain has restarted or is not fully available after restart.
During the re-installation of the vCenter Server, it is possible to have the same vCenter Server registered more than once to the Single Sign-On (SSO).
With a previous install of vCenter Server, SSL certificates were not overwritten or appropriately removed during an upgrade or re-installation.

Resolution

Note: This issue may be transient as another vCenter Server in an Enhanced Link Mode domain is restarting. Before continuing with troubleshooting, it is advised to wait 10 minutes, log out, and log back into the vCenter Server. The error may clear on its own. In addition, it is strongly advised to determine if logging into the other vCenter Server identified in the error message directly to determine if vCenter services are up and running before continuing. If all vCenter Servers are up and running and this error persists, continue with this resolution to identify duplicate service registrations or other errors.

To resolve this with scripting, refer to:

Using the VCF Diagnostic Tool for vSphere (VDT)

Using the 'lsdoctor' Tool

To resolve this manually, refer to the below section.

vCenter Server Appliance

Connect to the Platform Services Controller / vCenter using SSH.

Run this command to enable and access the Bash shell:
shell.set --enabled true
Type shell and press Enter
To create a text file with a list of the services registered within the Platform Services Controller, run this command:

/usr/lib/vmware-lookupsvc/tools/lstool.py list --url http://localhost:7090/lookupservice/sdk --type vcenterserver > /tmp/psc_services.txt --no-check-cert
Open the generated text file to find a list of services registered to the Platform Services Controller / vCenter.

Example output:
Name: AboutInfo.vpx.name
Description: AboutInfo.vpx.name
Service Product: com.vmware.cis
Service Type: vcenterserver
Service ID: #######-####-####-####-######
Site ID: default-first-site
Node ID: #######-####-####-####-######
Owner ID: vpxd-#######-####-####-####-######@vsphere.local
Version: 8.0
Endpoints:
Type: com.vmware.vim.extension
Protocol: vmomi
URL: https://vcenter1.example.com:443/sdkTunnel

Name: AboutInfo.vpx.name
Description: AboutInfo.vpx.name
Service Product: com.vmware.cis
Service Type: vcenterserver
Service ID: #######-####-####-####-######
Site ID: default-first-site
Node ID: #######-####-####-####-######
Owner ID: vpxd-#######-####-####-####-######@vsphere.local
Version: 8.0
Endpoints:
Type: com.vmware.vim.extension
Protocol: vmomi
URL: https://vcenter2.example.com:443/sdkTunnel

Note: To identify a valid registration against stale registration /etc/vmware/install-defaults/vmdir.ldu-guid can be looked to compare Node ID from the above output.
To unregister the duplicate service endpoint, run this command:

/usr/lib/vmware-lookupsvc/tools/lstool.py unregister --url http://localhost:7090/lookupservice/sdk --id Service_ID from Step 4 --user '[email protected]' --password 'ExamplePassword' --no-check-cert

Note: To find out which node is the right node mapped with the PSC / vCenter, view the vmdir.ldu-guid file of the respective machine.

Connect to PSC / vCenter via SSH
cd /etc/vmware/install-defaults/
cat /etc/vmware/install-defaults/vmdir.ldu-guid

The output gives the ORIGINAL NODE id. Remove the stale entry registered for other node ids.