• When a VM's Web Console is launched from the vCenter UI, it will error as "Couldn't establish a connection to the VM web console."
• VMRC (Remote Console) would be still accessible.
• Accessing VM console directly from the Host client also works.
  
  
• The following errors are observed in the ESXi /var/run/log/rhttpproxy.log



  2024-08-30T09:02:55.181Z warning rhttpproxy[2169973] [Originator@6876 sub=IO.Connection] Failed to SSL handshake; SSL(<io_obj p:0x00000079e7637df8, h:17, <TCP '<ESXi-IP> : 443'>, <TCP '<VC-IP> : 33476'>>), e: 336151574(sslv3 alert certificate unknown), duration: 26msec
  2024-08-30T09:02:55.181Z warning rhttpproxy[2169973] [Originator@6876 sub=RhttpProxy] SSL Handshake failed for stream SSL(<io_obj p:0x00000079e7637df8, h:17, <TCP '<ESXi-IP> : 443'>, <TCP '<VC-IP> : 33476'>>): N7Vmacore3Ssl12SSLExceptionE(SSL Exception: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown)

vCenter Server
ESXi

A thumbprint mismatch between the host's current certificate vs the thumbprint in the VCDB.

• To obtain the SSL thumbprint of the ESXi host from the vCenter Database, SSH into vCenter and run the following command:
  
  /opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -c "select id,dns_name,ip_address,host_ssl_thumbprint,expected_ssl_thumbprint from vpx_host;"

• To obtain the thumbprint of the SSL certificate installed on the ESXi host, SSH into the ESXi host and run the following command:
  
  openssl x509 -in /etc/vmware/ssl/rui.crt -text -fingerprint | grep -i finger

If the thumbprints mismatch, you are likely to hit the issue.

• Disconnect all the ESXi hosts from the vCenter UI and reconnect them to update the vCenter Database with the current thumbprint.

OR

• Restart the vpxa and hostd services on the ESXi host via SSH by executing the following commands:

/etc/init.d/vpxa restart
/etc/init.d/hostd restart