Accessing VM Web Console from vCenter UI fails with "Couldn't establish a connection to the VM web console."
Article ID: 345413
Updated On:
Products
VMware vCenter Server
Issue/Introduction
- When a VM's Web Console is launched from the vCenter UI, it will error as "
Couldn't establish a connection to the VM web console." - VMRC (Remote Console) would be still accessible.
- Accessing VM console directly from the Host client also works.
- The following errors are observed in the ESXi host
/var/run/log/rhttpproxy.logYYYY-MM-DDTHH:MM:SSZ warning rhttpproxy[216##73] [Originator@6876 sub=IO.Connection] Failed to SSL handshake; SSL(<io_obj p:0x00000079e7637df8, h:17, <TCP '<ESXi-IP> : 443'>, <TCP '<VC-IP> : 33476'>>), e: 336151574(sslv3 alert certificate unknown), duration: 26msecYYYY-MM-DDTHH:MM:SSZ warning rhttpproxy[216##73] [Originator@6876 sub=RhttpProxy] SSL Handshake failed for stream SSL(<io_obj p:0x00000079e7637df8, h:17, <TCP '<ESXi-IP> : 443'>, <TCP '<VC-IP> : 33476'>>): N7Vmacore3Ssl12SSLExceptionE(SSL Exception: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown)
Environment
- VMware vCenter Server 8.x
- VMware vSphere ESXi 8.x
Cause
This issue occurs when there is a SSL thumbprint mismatch between the ESXi host and the vCenter Server Database (VCDB).
- To obtain the SSL thumbprint of the ESXi host from the vCenter's Database, SSH into vCenter and run the following command:
/opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -c "select id,dns_name,ip_address,host_ssl_thumbprint,expected_ssl_thumbprint from vpx_host;"
- To obtain the thumbprint of the SSL certificate installed on the ESXi host, SSH into the ESXi host and run the following command:
openssl x509 -in /etc/vmware/ssl/rui.crt -text -fingerprint | grep -i finger
Mismatching thumbprints indicate that the vCenter Database is referencing an outdated certificate, triggering the login error.
Resolution
- Option 1: Reconnect Hosts via vCenter UI (This method forces vCenter to refresh its records and update the SSL thumbprint in its database.Log in to the vSphere Client.
- Navigate to the Hosts and Clusters view.
- Right-click the affected ESXi host and select
Connection > Disconnect. - Once disconnected, right-click the host again and select
Connection > Connect. - If prompted to verify the host certificate, click
Yes/OK.
- Enable and log in to the ESXi host via SSH using root credentials.
- Restart the vCenter Agent (vpxa) and the Host Management (hostd) services by running the following commands:
/etc/init.d/vpxa restart/etc/init.d/hostd restart
Feedback
Yes
No
Powered by
