Setting the Config.HostAgent.ticketing.thumbprintTypes to sha256 does not launch VM web console from vCenter server.
Article ID: 412713
Updated On:
Products
Issue/Introduction
- As a requirement to disable SHA1 thumbprints on the ESXi hosts and utilize SHA256, the Advance system setting value "Config.HostAgent.ticketing.thumbprintTypes" is set to sha256 on the host.
- After the setting is applied, launching any Virtual Machine Web consoles on this host from the vCenter server fails with the error - "Couldn't establish a connection to the VM web console".
- By default the ESXi hosts have the value as sha1 for Config.HostAgent.ticketing.thumbprintTypes
key : Config.HostAgent.ticketing.thumbprintTypes,
desc : "Hash algorithms with which to generate host thumbprints, specified as a comma-separated list. Options are sha1, sha256. If no hash is specified, all hashes that are considered secure are enabled." - Thumbprint mismatch between the host certificate and thumbprint in the VCDB has been validated using article - Accessing VM Web Console from vCenter UI fails with "Couldn't establish a connection to the VM web console."
Environment
VMware vCenter server 8.0
VMware vSphere ESXi 8.0
Cause
This is a known issue for 8.0.x versions.
When Config.HostAgent.ticketing.thumbprintTypes is set to sha256, the existing sha1 thumbprint part of the sslThumbprint field of the VirtualMachine ticket is unset. As a result the UI server is sending the plain ticket pointing to the ESXi host to the browser and the browser tries to connect directly to the ESXi host when trying to access the web console.
The connection fails because either the ESXi host is not accessible from the client browser, or the TLS certificate of the ESXi host is not trusted by the browser.
Resolution
Issue is fixed in vCenter and vSphere 9.0 version.
Starting from 9.x web console relies on full certificates instead of certificate thumbprints. If both the vCenter server and the ESXi hosts are in version 9.x, the issue is not observed.
Feedback
