Disconnected from Host: ESXi Host Cannot Verify SSL Thumbprint- Proven Fix

Introduction

When managing a VMware vSphere environment, smooth communication between vCenter and ESXi hosts is critical sometime. One common issue administrators encounter is:

“Disconnected from Host. Reason Cannot verify the SSL thumbprint.”

This happens when the SSL certificate thumbprint stored in vCenter doesn’t match the certificate presented by the ESXi host. As a result, vCenter marks the host as Disconnected or Not Responding or out of Synchronize.

In this article, we’ll walk you through the root cause of the ESXi SSL Thumbprint Error, symptoms to look for, and proven methods to fix it.

What Causes the SSL Thumbprint Error in ESXi ?

Every ESXi host presents an SSL certificate for secure identification with vCenter. If the host is upgraded, reinstalled, or its SSL certificate changes, the thumbprint may no longer match what vCenter expects.

This mismatch is a security mechanism designed to prevent man-in-the-middle attacks and unauthorized access.

Causes:

• Certificate mismatch after upgrade, reinstall, or regeneration.
• vCenter refuses to trust the new thumbprint.
• Host status changes to Disconnected.
• DNS Issues
• Time Synchronization (NTP)

Symptoms of SSL Thumbprint Mismatch

• Host status shows Disconnected or Not Responding in vCenter.
• Tasks fail when communicating with the host.
• vCenter prompts SSL thumbprint verification when reconnecting.

How to Fix ESXi Host Cannot Verify SSL Thumbprint Error

Here are four effective solutions. Start with the simplest and move to advanced fixes only if needed.

Method 1: Reconnect the Host and Accept the New SSL Thumbprint

1. Open the vSphere Web Client.
2. Right-click the disconnected ESXi host → Reconnect.
3. Accept the new SSL thumbprint when prompted.

Best for: Minor mismatches after upgrades or reboots.

Method 2: Remove and Re-Add the Host to vCenter

If reconnect fails:

1. Right-click the host → Remove from Inventory.
2. Go to vCenter > Hosts and Clusters → Add Host.
3. Enter the ESXi hostname/IP, credentials, and accept the new thumbprint.

Best for: Persistent SSL trust issues.

Method 3: Regenerate ESXi SSL Certificates (Proven Fix)

If the ESXi host’s self-signed certificate is invalid or untrusted:

1. Put the ESXi host into Maintenance Mode.
2. Enable SSH and connect via PuTTY.
3. Rename old certificates:

   mv /etc/vmware/ssl/rui.crt /etc/vmware/ssl/rui.crt.old
   mv /etc/vmware/ssl/rui.key /etc/vmware/ssl/rui.key.old

4. Generate new certificates:

   /sbin/generate-certificates

5. Restart services:

   /etc/init.d/hostd restart
   /etc/init.d/vpxa restart
   

6. Reconnect the host in vCenter and accept the new thumbprint.

Best for: SSL errors caused by invalid or corrupted certificates.

Method 4: Verify and Match the Thumbprint Manually

1. SSH into the ESXi host.
2. Run:

   openssl x509 -in /etc/vmware/ssl/rui.crt -noout -fingerprint -sha1

3. Compare the SHA1 thumbprint with vCenter’s expected value.
4. If mismatched, use Method 1 or 2 to update the certificate trust.

Best Practices to Avoid SSL Thumbprint Errors

• Use FQDN instead of IP when adding hosts to vCenter.
• Maintain accurate DNS entries and avoid duplicates.
• Use CA-signed certificates in enterprise environments.
• Document certificate updates to reduce future mismatches.

Conclusion

The “ESXi Host Cannot Verify SSL Thumbprint” error is common and easily fixable. Start by reconnecting the host and accepting the new thumbprint. If that fails, re-add the host, regenerate SSL certificates, or manually verify the certificate.

Always confirm the host’s identity before accepting a new certificate to maintain security in your vSphere environment.

Analyze vCenter vpxd logs (/var/log/vmware/vpxd/vpxd.log) at particular date and time stamp to get pin pointe clue.

FAQs

Why does my ESXi host keep disconnecting with SSL thumbprint errors?

Usually due to a certificate mismatch after upgrade, reinstall, or regeneration.

How do I find the ESXi SSL thumbprint?

Run the following command in SSH:

openssl x509 -in /etc/vmware/ssl/rui.crt -noout -fingerprint -sha1

Can I ignore SSL thumbprint warnings in vCenter?

No. Always verify the certificate before accepting to avoid security risks.