Unable to access VM Web-console, fails with error: Couldn't establish a connection to the VM Web Console
search cancel

Unable to access VM Web-console, fails with error: Couldn't establish a connection to the VM Web Console

book

Article ID: 345413

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

  • When a VM's console is launched from the vCenter using Web Console option, it will error as below.
  • VMRC console would be still accessible.
  • Accessing VM console directly from the Host client also works

 

 

rhttpproxy logs of the host will indicate SSL handshake errors:

2023-08-30T09:02:55.181Z warning rhttpproxy[2169973] [Originator@6876 sub=IO.Connection] Failed to SSL handshake; SSL(<io_obj p:0x00000079e7637df8, h:17, <TCP '10.0.0.5 : 443'>, <TCP '10.0.0.100 : 33476'>>), e: 336151574(sslv3 alert certificate unknown), duration: 26msec

2023-08-30T09:02:55.181Z warning rhttpproxy[2169973] [Originator@6876 sub=RhttpProxy] SSL Handshake failed for stream SSL(<io_obj p:0x00000079e7637df8, h:17, <TCP '10.0.0.5 : 443'>, <TCP '10.0.0.100 : 33476'>>): N7Vmacore3Ssl12SSLExceptionE(SSL Exception: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown)

2023-08-30T09:03:27.220Z warning rhttpproxy[2163746] [Originator@6876 sub=IO.Connection] Failed to SSL handshake; SSL(<io_obj p:0x00000079e7643a18, h:17, <TCP '10.0.0.5 : 443'>, <TCP '10.0.0.100 : 33614'>>), e: 336151574(sslv3 alert certificate unknown), duration: 27msec

 

 

 

 

Environment

VMware vCenter Server 7.0.x
VMware vCenter Server 8.0
VMware vCenter Server 8.0.x

Cause

A thumbprint mismatch between the host's current certificate vs the thumbprint in the VCDB.

This can be validated as below.

  • Obtain the SSL thumbprint of the host from the vcenter DB:

/opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -c "select id,dns_name,ip_address,host_ssl_thumbprint,expected_ssl_thumbprint from vpx_host;"

  • Obtain the thumbprint of the SSL certificate installed in the ESXi host;

openssl x509 -in /etc/vmware/ssl/rui.crt -text -fingerprint | grep -i finger


If the thumbprints mismatch, you are likely to hit the issue.

Resolution

  • Disconnect the host and reconnect it back to update the VCDB with the current thumbprint.
  • (OR) Restart the vpxa and hostd service executing below command:

         /etc/init.d/vpxa restart

     /etc/init.d/hostd restart