Error: "Connection error: could not negotiate SSL" when opening VMware Remote Console in Cloud Director
search cancel

Error: "Connection error: could not negotiate SSL" when opening VMware Remote Console in Cloud Director

book

Article ID: 342532

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

  • VMRC fails to connect, however, the Web Consoles may work just fine
  • This often occurs after a Cloud Director upgrade.
  • The VMRC failures can be identified in the VMRC logs on the users local desktop. For location details see Location of Cloud Director VMRC client log files
2023-09-22T09:07:14.345Z In(05) main REMOTEMKS: expected thumbprint for remote display: 90:D8:##:##:##:72:46:15:A9:2F:72:92:F9:a1:30:72:B9:A8:FC:C1
2023-09-22T09:07:14.345Z In(05) main SOCKET connect to wss://<public address>.example.com:443
2023-09-22T09:07:14.345Z In(05) main SOCKET webSocket's hostname: <public address>.example.com
2023-09-22T09:07:14.382Z In(05) main SOCKET creating new IPv4 socket, connecting to 192.168.###.###:443 (<public address>.example.com)
2023-09-22T09:07:14.390Z In(05) main PollSocketPairConnect: Blocking socket 1184 connected immediately!
2023-09-22T09:07:14.390Z In(05) main PollSocketPairConnect: Blocking socket 1196 connected immediately!
2023-09-22T09:07:14.411Z In(05) main MKSRoleMain: PowerOn finished.
2023-09-22T09:07:14.419Z In(05) mks MKSControlMgr: connected
2023-09-22T09:07:14.422Z In(05) mks MKS-VMDB: VMDB requested a screenshot
2023-09-22T09:07:14.422Z In(05) svga MKSScreenShotMgr: Taking a screenshot
2023-09-22T09:07:14.427Z In(05) mks KHBKL: Unable to parse keystring at: ''
2023-09-22T09:07:14.429Z In(05) mks KHBKL: Unable to parse keystring at: ''
2023-09-22T09:07:14.505Z Wa(03) mks SSL: Unknown SSL Error
2023-09-22T09:07:14.505Z In(05) mks SSL Error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2023-09-22T09:07:14.505Z Wa(03) mks SOCKET 2 (1164) Could not negotiate SSL
2023-09-22T09:07:14.505Z Wa(03)+ mks The remote host certificate has these problems:
2023-09-22T09:07:14.505Z Wa(03)+ mks
2023-09-22T09:07:14.505Z Wa(03)+ mks * self signed certificate in certificate chain
2023-09-22T09:07:14.506Z Wa(03) mks SOCKET 2 (1164) Expected thumbprint doesn't match actual thumbprint.
2023-09-22T09:07:14.506Z Wa(03) mks Expected thumbprint is: 90:D8:##:##:##:72:46:15:A9:2F:72:92:F9:a1:30:72:B9:A8:FC:C1
2023-09-22T09:07:14.506Z Wa(03)+ mks   Actual thumbprint is: 69:63:##:##:##:21:5F:98:BD:4A:FC:37:BE:ff:C3:c0:A6:3A:B7:5F
2023-09-22T09:07:14.506Z Wa(03) mks SOCKET 2 (1164) Cannot verify target host.
2023-09-22T09:07:14.506Z Wa(03) mks MVNCClient: received socket error 13: Connection error: could not negotiate SSL
2023-09-22T09:07:14.506Z In(05) mks MVNCClient: Setting vncClient.mksConnectionError, previous error is 0, new error is 1
2023-09-22T09:07:14.506Z In(05) mks MVNCClient: Destroying VNC Client socket.
2023-09-22T09:07:14.506Z In(05) mks MKSRoleMain: Disconnected from server (error=1)
2023-09-22T09:07:14.506Z In(05) mks MKS-RoleRemote: Disconnected from server with error code 1.
2023-09-22T09:07:14.506Z In(05) mks MKSThread: Requesting MKS exit

Environment

VMware Cloud Director 10.x

Cause

This issue occurs when the expected thumbprint for the VMRC console does not match the actual thumbprint presented.

The thumbprint mismatch can occur because the certificate in the Administration > Settings > Public Addresses tab is incomplete, out of order, or otherwise corrupt. The certificate imported to the Administration > Settings > Public Addresses tab must include the full chain as well as the correct endpoint certificate.

This issue can also occur if there is actually a different certificate chain altogether currently applied to the Administration > Settings > Public Addresses tab than what is applied to the load balancer.

Resolution

If the issue is because of something in a different order for the certificate chain, then the best way to resolve this issue is to validate the quality of the certificate chain, then import that chain via the built-in UI functionality to the Administration > Settings > Public Addresses tab. This can be done as follows:
  1. Review the /opt/vmware/vcloud-director/etc/global.properties file to identify the location of the HTTPS certificate. This path is referenced by the entry labeled "user.certificate.path". The default path is /opt/vmware/vcloud-director/etc/user.http.pem
  2. Copy the certificate from the path identified in step 1 to your workstation
  3. Navigate to the Provider portal and go to Administration > Settings > Public Addresses
  4. Click the "Edit" button at the top of page. Then proceed to click the "Replace Certificate File" button and upload the certificate from step 1
  5. Save this configuration for the Web Portal and API endpoint.
  6. Test VMRC again to see if the same issue occurs

If this is because there is a different certificate applied to the Administration > Settings > Public Addresses tab than what is applied to the load balancer:

  1. Locate the file that was used to apply the certificate to the load balancer.
  2. Navigate to the Provider portal and go to Administration > Settings > Public Addresses
  3. Click the "Edit" button at the top of page. Then proceed to click the "Replace Certificate File" button and upload the certificate from step 1
  4. Save this configuration for the Web Portal and API endpoint.
  5. Test VMRC again to see if the same issue occurs

Additional Information

This message indicates the thumbprint of the certificate which is currently set in the Administration > Settings > Public Addresses tab:
2023-09-22T09:07:14.345Z In(05) main REMOTEMKS: expected thumbprint for remote display: 90:D8:##:##:##:72:46:15:A9:2F:72:92:F9:a1:30:72:B9:A8:FC:C1
This message indicates the actual certificate currently applied to the load balancer that the console is connecting to:
2023-09-22T09:07:14.506Z Wa(03)+ mks   Actual thumbprint is: 69:63:##:##:##:21:5F:98:BD:4A:FC:37:BE:ff:C3:c0:A6:3A:B7:5F

 

Powered by Wolken Software