Connecting to TLS1.0 or TLS1.1 services fail in vRealize Orchestrator
search cancel

Connecting to TLS1.0 or TLS1.1 services fail in vRealize Orchestrator


Article ID: 325987


Updated On:


VMware Aria Suite


In VMware vRealize Orchestrator 8.4.1 and later versions, you experience these symptoms
  • Connecting to TLS1.0 or TLS1.1 services fail.
  • When you try establishing the connection, you see entries on the /services-logs/prelude/vco-app/file-logs/vco-server-app.log file similar to
    The server selected protocol version TLS10 is not accepted by client preferences [TLS12]


VMware vRealize Orchestrator 8.6.x
VMware vRealize Orchestrator 8.7.x
VMware vRealize Automation 8.10.x
VMware vRealize Orchestrator 8.9.x
VMware vRealize Automation 8.7.x
VMware vRealize Automation 8.9.x
VMware vRealize Automation 8.3.x
VMware vRealize Orchestrator 8.10.x
VMware vRealize Automation 8.6.x
VMware vRealize Automation 8.5.x
VMware vRealize Orchestrator 8.5.x
VMware vRealize Automation 8.4.x
VMware vRealize Automation 8.8.x
VMware vRealize Orchestrator 8.8.x
VMware vRealize Orchestrator 8.4.x


vRA/vRO supports only TLS 1.2 out-of-the-box for strengthened security.


This is a known issue affecting VMware vRealize Orchestrator 8.4.1 and later versions.

Currently, there is no resolution.



  • Please take simultaneous non-memory snapshots of each virtual appliance(s) in the cluster.
  • You have access to root user and password
  • You have SSH or console access to each virtual appliance.


  1. SSH / PuTTy into one vRO virtual appliance in the cluster
  2. Run the below command
    vracli cluster exec -- bash -c 'base64 -d <<< IyBDcmVhdGUgY3VzdG9tIHByb2ZpbGUgZGlyZWN0b3J5Cm1rZGlyIC1wIC9ldGMvdm13YXJlLXByZWx1ZGUvcHJvZmlsZXMvc2VjdXJpdHktY29ubmVjdGlvbi1wcm9maWxlLwoKIyBDcmVhdGUgdGhlIHJlcXVpcmVkIGRpcmVjdG9yeSB0cmVlIHRoYXQgd2lsbCBiZSB1c2VkIHdoZW4gdGhlIHByb2ZpbGUgaXMgYWN0aXZlCm1rZGlyIC1wIC9ldGMvdm13YXJlLXByZWx1ZGUvcHJvZmlsZXMvc2VjdXJpdHktY29ubmVjdGlvbi1wcm9maWxlL2hlbG0vcHJlbHVkZV92Y28vCgojIENyZWF0ZSAiY2hlY2siIGZpbGUgdGhhdCBpcyBhbiBleGVjdXRhYmxlIGZpbGUgcnVuIGJ5IGRlcGxveSBzY3JpcHQuCmNhdCA8PEVPRiA+IC9ldGMvdm13YXJlLXByZWx1ZGUvcHJvZmlsZXMvc2VjdXJpdHktY29ubmVjdGlvbi1wcm9maWxlL2NoZWNrCiMhL2Jpbi9iYXNoCmV4aXQgMApFT0YKY2htb2QgNzU1IC9ldGMvdm13YXJlLXByZWx1ZGUvcHJvZmlsZXMvc2VjdXJpdHktY29ubmVjdGlvbi1wcm9maWxlL2NoZWNrCgojIENvcHkgdlJPIHJlc291cmNlIG1ldHJpY3MgZmlsZSB0byB5b3VyIGN1c3RvbSBwcm9maWxlCmNhdCA8PEVPRiA+IC9ldGMvdm13YXJlLXByZWx1ZGUvcHJvZmlsZXMvc2VjdXJpdHktY29ubmVjdGlvbi1wcm9maWxlL2hlbG0vcHJlbHVkZV92Y28vODAtcmVzb3VyY2VzLnlhbWwKc2VydmVySmF2YU9wdHM6CiAgImphdmEuc2VjdXJpdHkucHJvcGVydGllcyI6ICcvdXNyL2xpYi92Y28vanZtLnNlY3VyaXR5JwpFT0YKY2htb2QgNjQ0IC9ldGMvdm13YXJlLXByZWx1ZGUvcHJvZmlsZXMvc2VjdXJpdHktY29ubmVjdGlvbi1wcm9maWxlL2hlbG0vcHJlbHVkZV92Y28vODAtcmVzb3VyY2VzLnlhbWwKCiMgQ29weSB2Uk8ganZtLnNlY3VyaXR5IGZpbGUgdGhhdCBpcyBnb2luZyB0byBvdmVycmlkZSB0aGUgZGVmYXVsdCBqYXZhLnNlY3VyaXR5CmNhdCA8PEVPRiA+IC9kYXRhL3Zjby91c3IvbGliL3Zjby9qdm0uc2VjdXJpdHkKamRrLnRscy5kaXNhYmxlZEFsZ29yaXRobXM9U1NMdjMsIFJDNCwgREVTLCBNRDV3aXRoUlNBLApFT0YKY2htb2QgNjQ0IC9kYXRhL3Zjby91c3IvbGliL3Zjby9qdm0uc2VjdXJpdHkK | bash'
Note: This command will run a script creating a custom profile configuring vRO to allow connections via TLS1.0 or TLS1.1 protocols.
  1. ​Start vRA services by running the following command
IMPORTANT NOTE: In future if a single node environment is scaled out to a clustered environment, the steps need to be executed on each node before joining the new nodes to the master node.

Procedure to remove TLS 1.0 and TLS 1.1 configurations

Please follow these steps to delete the custom profile and disable the use of TLS1.0 or TLS1.1 protocols for connection.
  1. Run the following command 
    vracli cluster exec -- bash -c 'base64 -d <<< IyBEZWxldGUgcHJvZmlsZSBkaXJlY3RvcnkgYW5kIHRoZSBvdmVycmlkaW5nIGZpbGUKcm0gLXJmIC9ldGMvdm13YXJlLXByZWx1ZGUvcHJvZmlsZXMvc2VjdXJpdHktY29ubmVjdGlvbi1wcm9maWxlCnJtIC1yZiAvZGF0YS92Y28vdXNyL2xpYi92Y28vanZtLnNlY3VyaXR5Cg== | bash'
  2. ​Start vRA services by running the following command

Additional Information

This may be a blocker for customers if there is a need to contact external HTTP / web systems with weaker security protocols such as TLS 1.0 and TLS 1.1.