TLS disable of ESXi fails on vCenter Server with error [SSL: UNKNOWN_PROTOCOL]
search cancel

TLS disable of ESXi fails on vCenter Server with error [SSL: UNKNOWN_PROTOCOL]

book

Article ID: 344690

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

The purpose of this article is to enable correctly changing the TLS version of ESXi hosts in reconfigureEsx command.


Symptoms:
  • ReconfigureEsx command fails with the error:
In vCenter Server Appliance:

[ /usr/lib/vmware-vSphereTlsReconfigurator/EsxTlsReconfigurator ]# ./reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u <Administrative_User> -p TLSv1.1 TLSv1.2
ESXi Transport Layer Security reconfigurator, version=6.x.x, build=xxxxxxx
For more information refer to the following article: https://kb.vmware.com/kb/2148819
Log file: "/var/log/vmware/vSphere-TlsReconfigurator/EsxTlsReconfigurator.log".
Connecting to vCenter Server at: "localhost". 
Password:           
[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:661)
 
In Windows:
 
C:\Program Files\VMware\CIS\vSphereTlsReconfigurator\EsxTlsReconfigurator> reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u <Administrative_User> -p TLSv1.1 TLSv1.2
ESXi Transport Layer Security reconfigurator, version=6.x.x, build=xxxxxxx
For more information refer to the following article: https://kb.vmware.com/kb/2148819
Log file: "C:\ProgramData\VMware\vCenterServer\logs\vmware\vSphere-TlsReconfigurator\EsxTlsReconfigurator.log".
Connecting to vCenter Server at: "localhost".
Password:
[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:661)


Environment

VMware vCenter Server Appliance 6.5.x
VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server 6.7.x
VMware vCenter Server 6.5.x

Cause

If the vCenter Server has a proxy configured, the reconfigureEsx command may fail.
As a result, it is not possible to invalidate the TLS versions of the ESXi host.

Resolution

Currently, there is no resolution.
 


Workaround:
To work around this issue, disable proxy of vCenter Server and run the reconfigureEsx command.
 
 In vCenter Server Appliance:
  1. Open an SSH session to the vCenter Server Appliance.
  2. Edit the /etc/sysconfig/proxy file.
    Change the value of PROXY_ENABLED="yes" to PROXY_ENABLED="no".
 In Windows:
  1. Start Internet Explorer.
  2. Open the Internet Options.
  3. Click the Connections tab.
  4. Click LAN settings.
  5. Disable Use a proxy server for your LAN and other such settings.
  6. Click OK two times to confirm the configuration.

Reboot the vCenter Server.
After the reboot, the reconfigureEsx command can be successfully run.