VMRC Fails to Connect due to SSL Negotiation Error
search cancel

VMRC Fails to Connect due to SSL Negotiation Error


Article ID: 342532


Updated On:


VMware Cloud Director


This KB is intended to resolve issues with VMRC consoles after upgrading to version 10.4.X

  • VMRC fails to connect, however, the Web Consoles may work just fine
  • This often occurs after an upgrade to VMware Cloud Director version 10.4.X
  • The VMRC failures can be identified in the console-proxy logs, a failed VMRC console may present a similar log sequence as shown below:
2023-09-22T09:07:14.345Z In(05) main REMOTEMKS: expected thumbprint for remote display: 90:D8:73:1B:4A:72:46:15:A9:2F:72:92:F9:a1:30:72:B9:A8:FC:C1
2023-09-22T09:07:14.345Z In(05) main SOCKET connect to wss://labs-cloud.vmware.com:443
2023-09-22T09:07:14.345Z In(05) main SOCKET webSocket's hostname: labs-cloud.vmware.com
2023-09-22T09:07:14.382Z In(05) main SOCKET creating new IPv4 socket, connecting to (labs-cloud.vmware.com)
2023-09-22T09:07:14.390Z In(05) main PollSocketPairConnect: Blocking socket 1184 connected immediately!
2023-09-22T09:07:14.390Z In(05) main PollSocketPairConnect: Blocking socket 1196 connected immediately!
2023-09-22T09:07:14.411Z In(05) main MKSRoleMain: PowerOn finished.
2023-09-22T09:07:14.419Z In(05) mks MKSControlMgr: connected
2023-09-22T09:07:14.422Z In(05) mks MKS-VMDB: VMDB requested a screenshot
2023-09-22T09:07:14.422Z In(05) svga MKSScreenShotMgr: Taking a screenshot
2023-09-22T09:07:14.427Z In(05) mks KHBKL: Unable to parse keystring at: ''
2023-09-22T09:07:14.429Z In(05) mks KHBKL: Unable to parse keystring at: ''
2023-09-22T09:07:14.505Z Wa(03) mks SSL: Unknown SSL Error
2023-09-22T09:07:14.505Z In(05) mks SSL Error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2023-09-22T09:07:14.505Z Wa(03) mks SOCKET 2 (1164) Could not negotiate SSL
2023-09-22T09:07:14.505Z Wa(03)+ mks The remote host certificate has these problems:
2023-09-22T09:07:14.505Z Wa(03)+ mks
2023-09-22T09:07:14.505Z Wa(03)+ mks * self signed certificate in certificate chain
2023-09-22T09:07:14.506Z Wa(03) mks SOCKET 2 (1164) Expected thumbprint doesn't match actual thumbprint.
2023-09-22T09:07:14.506Z Wa(03) mks Expected thumbprint is: 90:D8:73:1B:4A:72:46:15:A9:2F:72:92:F9:a1:30:72:B9:A8:FC:C1
2023-09-22T09:07:14.506Z Wa(03)+ mks   Actual thumbprint is: 69:63:E6:cc:60:21:5F:98:BD:4A:FC:37:BE:ff:C3:c0:A6:3A:B7:5F
2023-09-22T09:07:14.506Z Wa(03) mks SOCKET 2 (1164) Cannot verify target host.
2023-09-22T09:07:14.506Z Wa(03) mks MVNCClient: received socket error 13: Connection error: could not negotiate SSL
2023-09-22T09:07:14.506Z In(05) mks MVNCClient: Setting vncClient.mksConnectionError, previous error is 0, new error is 1
2023-09-22T09:07:14.506Z In(05) mks MVNCClient: Destroying VNC Client socket.
2023-09-22T09:07:14.506Z In(05) mks MKSRoleMain: Disconnected from server (error=1)
2023-09-22T09:07:14.506Z In(05) mks MKS-RoleRemote: Disconnected from server with error code 1.
2023-09-22T09:07:14.506Z In(05) mks MKSThread: Requesting MKS exit
2023-09-22T09:07:14.506Z In(05) main Stopping MKS/SVGA threads


VMware Cloud Director for Service Provider 10.x
VMware Cloud Director 10.x


  • VMRC connection failures on version 10.4.X are usually attributed to a thumbprint mismatch -- this happens when the expected thumbprint for the VMRC console does not match the actual thumbprint presented
  • The thumbprint mismatch occurs because the certificate in the Administration > Settings > Public Addresses tab is incomplete, out of order, or otherwise corrupt
  • The certificate imported to the Administration > Settings > Public Addresses tab must include the full chain as well as the correct endpoint certificate


The best way to resolve this issue is to validate the quality of the certificate chain, then import that chain via the built-in UI functionality to the Administration > Settings > Public Addresses tab. This can be done as follows:
  1. Review the /opt/vmware/vcloud-director/etc/global.properties file to identify the location of the HTTPS certificate. This path is referenced by the entry labeled "user.certificate.path". The default path is /opt/vmware/vcloud-director/etc/user.http.pem
  2. Copy the certificate from the path identified in step 1 to your workstation
  3. Navigate to the Provider portal and go to Administration > Settings > Public Addresses
  4. Click the "Edit" button at the top of page. Then proceed to click the "Replace Certificate File" button and upload the certificate from step 1
  5. Save this configuration for the Web Portal and API endpoint.
  6. Test VMRC again to see if the same issue occurs

Additional Information

VMRC consoles will be inaccessible due to the thumbprint mismatch