TLS disable of ESXi fails on vCenter Server with error [SSL: UNKNOWN_PROTOCOL]
Article ID: 344690
Updated On:
Products
VMware vCenter Server
Issue/Introduction
The purpose of this article is to enable correctly changing the TLS version of ESXi hosts in reconfigureEsx command.
Symptoms:
[ /usr/lib/vmware-vSphereTlsReconfigurator/EsxTlsReconfigurator ]# ./reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u <Administrative_User> -p TLSv1.1 TLSv1.2
ESXi Transport Layer Security reconfigurator, version=6.x.x, build=xxxxxxx
For more information refer to the following article: https://kb.vmware.com/kb/2148819
Log file: "/var/log/vmware/vSphere-TlsReconfigurator/EsxTlsReconfigurator.log".
Connecting to vCenter Server at: "localhost".
Password:
[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:661)
Symptoms:
- ReconfigureEsx command fails with the error:
In vCenter Server Appliance:
[ /usr/lib/vmware-vSphereTlsReconfigurator/EsxTlsReconfigurator ]# ./reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u <Administrative_User> -p TLSv1.1 TLSv1.2
ESXi Transport Layer Security reconfigurator, version=6.x.x, build=xxxxxxx
For more information refer to the following article: https://kb.vmware.com/kb/2148819
Log file: "/var/log/vmware/vSphere-TlsReconfigurator/EsxTlsReconfigurator.log".
Connecting to vCenter Server at: "localhost".
Password:
[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:661)
In Windows:
C:\Program Files\VMware\CIS\vSphereTlsReconfigurator\EsxTlsReconfigurator> reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u <Administrative_User> -p TLSv1.1 TLSv1.2
ESXi Transport Layer Security reconfigurator, version=6.x.x, build=xxxxxxx
For more information refer to the following article: https://kb.vmware.com/kb/2148819
Log file: "C:\ProgramData\VMware\vCenterServer\logs\vmware\vSphere-TlsReconfigurator\EsxTlsReconfigurator.log".
Connecting to vCenter Server at: "localhost".
Password:
[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:661)
ESXi Transport Layer Security reconfigurator, version=6.x.x, build=xxxxxxx
For more information refer to the following article: https://kb.vmware.com/kb/2148819
Log file: "C:\ProgramData\VMware\vCenterServer\logs\vmware\vSphere-TlsReconfigurator\EsxTlsReconfigurator.log".
Connecting to vCenter Server at: "localhost".
Password:
[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:661)
Environment
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server 6.7.x
VMware vCenter Server 6.5.x
VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server 6.7.x
VMware vCenter Server 6.5.x
Cause
If the vCenter Server has a proxy configured, the reconfigureEsx command may fail.
As a result, it is not possible to invalidate the TLS versions of the ESXi host.
As a result, it is not possible to invalidate the TLS versions of the ESXi host.
Resolution
Currently, there is no resolution.
Workaround:
To work around this issue, disable proxy of vCenter Server and run the reconfigureEsx command.
Reboot the vCenter Server.
After the reboot, the reconfigureEsx command can be successfully run.
Workaround:
To work around this issue, disable proxy of vCenter Server and run the reconfigureEsx command.
In vCenter Server Appliance:
-
Open an SSH session to the vCenter Server Appliance.
-
Edit the /etc/sysconfig/proxy file.
Change the value of PROXY_ENABLED="yes" to PROXY_ENABLED="no".
In Windows:
-
Start Internet Explorer.
-
Open the Internet Options.
-
Click the Connections tab.
-
Click LAN settings.
-
Disable Use a proxy server for your LAN and other such settings.
-
Click OK two times to confirm the configuration.
Reboot the vCenter Server.
After the reboot, the reconfigureEsx command can be successfully run.
Feedback
Yes
No
Powered by
