Symptoms:
rhttpproxy logs of the host will indicate SSL handshake errors:
2023-08-30T09:02:55.181Z warning rhttpproxy[2169973] [Originator@6876 sub=IO.Connection] Failed to SSL handshake; SSL(<io_obj p:0x00000079e7637df8, h:17, <TCP '10.0.0.5 : 443'>, <TCP '10.0.0.100 : 33476'>>), e: 336151574(sslv3 alert certificate unknown), duration: 26msec 2023-08-30T09:02:55.181Z warning rhttpproxy[2169973] [Originator@6876 sub=RhttpProxy] SSL Handshake failed for stream SSL(<io_obj p:0x00000079e7637df8, h:17, <TCP '10.0.0.5 : 443'>, <TCP '10.0.0.100 : 33476'>>): N7Vmacore3Ssl12SSLExceptionE(SSL Exception: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown) 2023-08-30T09:03:27.220Z warning rhttpproxy[2163746] [Originator@6876 sub=IO.Connection] Failed to SSL handshake; SSL(<io_obj p:0x00000079e7643a18, h:17, <TCP '10.0.0.5 : 443'>, <TCP '10.0.0.100 : 33614'>>), e: 336151574(sslv3 alert certificate unknown), duration: 27msec
VMware vCenter Server 7.0.x
VMware vCenter Server 8.0
VMware vCenter Server 8.0.x
A thumbprint mismatch between the host's current certificate vs the thumbprint in the VCDB.
This can be validated as below.
/opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -c "select id,dns_name,ip_address,host_ssl_thumbprint,expected_ssl_thumbprint from vpx_host;"
openssl x509 -in /etc/vmware/ssl/rui.crt -text -fingerprint | grep -i finger
If the thumbprints mismatch, you are likely to hit the issue.
vpxa
and hostd
service executing below command: /etc/init.d/vpxa restart
/etc/init.d/hostd restart