"The host certificate chain is not complete" error when opening the VM console
search cancel

"The host certificate chain is not complete" error when opening the VM console

book

Article ID: 344177

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Symptoms:

After a fresh installation of ESXi or ESX on the affected host, you experience these symptoms:

  • You are unable to view the console of virtual machines within the host.
  • You see the error:

    Unable to connect to the MKS: The remote host has these problems: * The host certificate chain is not complete".

  • You are able to view the virtual machine console when you connect to the host directly using the VI Client.
  • Other hosts in the inventory are able to see the virtual machine consoles.


Environment

VMware ESXi 4.1.x Installable
VMware ESX 4.1.x
VMware vSphere ESXi 5.0
VMware ESXi 4.0.x Installable
VMware ESXi 4.0.x Embedded
VMware ESX 4.0.x
VMware ESXi 4.1.x Embedded

Cause

This issue occurs when the host has problems with the certificate.

Resolution

To resolve this issue, you must recreate the host certificates.
To recreate the host certificates:
  1. Log in to the affected ESXi/ESX host. For accessing Tech Support Mode in ESXi, see Using Tech Support Mode in ESXi 4.1 and 5.0.
  2. Navigate to the location where the certificate files are stored using this command:

    cd /etc/vmware/ssl

  3. Verify if the certificate files are available using the command:

    /etc/vmware/ssl # ls

    You see an output similar to:

    rui.crt rui.key

  4. Move these file to a temporary directory using these command:

    Note: Ensure that these files are moved by re-running the ls command.

    • mv rui.crt /tmp
    • mv rui.key /tmp

  5. Recreate the SSL certificate for the host using one of these commands:

    /sbin/generate-certificates

    or depending on the ESX/ESXi version, the command may be:

    /sbin/generate-certificates.sh

    Note: Restarting the management services does not recreate the SSL certificates. You must run the generate-certificates script. On ESXi 5.5 you may receive the following error:

    WARNING: can't open config file: /usr/ssl/openssl.cnf

    or

    WARNING: can't open config file: /etc/pki/tls/openssl.cnf

    These messages can be safely ignored as the new certificate is generated successfully.

  6. Run this command to verify if the files are created:

    /etc/vmware/ssl # ls

    You see an output similar to:

    rui.crt rui.key

  7. Disconnect the host from vCenter Server and then remove it from the Inventory.

    Note: Ensure that EVC is not enabled before removing the host. If EVC is enabled, the host will require downtime.

  8. Restart the management agents on the ESXi host. For more information, see Restarting the Management agents on an ESXi or ESX host (1003490).

  9. Add the host back to the vCenter Server Inventory and then try opening the console of a powered on virtual machine.


Additional Information

Restarting the Management agents in ESXi
Using Tech Support Mode in ESXi 4.1, ESXi 5.x, and ESXi 6.x

Powered by Wolken Software