Attempting to connect an ESXi host to vCenter yields the error "Cannot contact host FQDN while connecting ESXi host to vCenter".

All versions of vCenter and ESXi. 

Environmental network devices like firewall and WAN optimizers can use technology like SSL inspection to modify the traffic between ESXi and vCenter. 

This can be proven using the below steps: 

1. From the ESXi host run the following command to validate the hash of the certificate in use by the ESXi host: 

openssl x509 -noout -fingerprint -sha256 -in /etc/vmware/ssl/rui.crt

openssl x509 -noout -fingerprint -sha1 -in /etc/vmware/ssl/rui.crt

Sample output:

[root@ESXi~] openssl x509 -noout -fingerprint -sha256 - in /etc/vmware/ssl/rui.crt

SHA256 Fingerprint=##:##:##:##:##:##:##:##:##:##:##:##:##:##

[root@ESXi~] openssl x509 -noout -fingerprint -sha1 -in /etc/vmware/ssl/rui.crt

SHA1 Fingerprint=##:##:##:##:##:##:##:##:##:##:##:##:##:##

2. From vCenter run the following command: 

openssl s_client -connect <ESXiFQDN>:443 -servername <ESXiFQDN> </dev/null 2>/dev/null | openssl x509 -noout -fingerprint -sha256

openssl s_client -connect <ESXiFQDN>:443 -servername <ESXiFQDN> </dev/null 2>/dev/null | openssl x509 -noout -fingerprint -sha1

Sample output:

root@vCenter [~ ]# openssl s_client -connect ########:443 -servername ###### </dev/null 2>/dev/null | openssl x509 -noout -fingerprint -sha256

sha256 Fingerprint=##:##:##:##:##:##:##:##:##:##:##:##:##:##

root@vCenter [~ ]# openssl s_client -connect ########:443 -servername ###### </dev/null 2>/dev/null | openssl x509 -noout -fingerprint -sha1

sha1 Fingerprint=##:##:##:##:##:##:##:##:##:##:##:##:##:##

If the hash value in outputs of both of these commands do not match, a firewall or WAN optimizer is modifying the traffic between host and vCenter.

Change the network configuration so that the traffic between ESXi and vCenter isn't being modified.