How to Fix ESXi Host SSL Thumbprint Error
Managing a VMware vSphere environment involves regular maintenance, including updating ESXi hosts and vCenter. One common issue that administrators may face after such activities is ESXi hosts showing as disconnected due to an SSL thumbprint error. This typically occurs when there’s a mismatch between the SSL certificate thumbprint stored in vCenter and the actual certificate used by the ESXi host.
In this article, we’ll walk through the root cause, how to verify the issue, and multiple ways to resolve the SSL thumbprint mismatch error.
What Causes the SSL Thumbprint Error?
Each ESXi host presents a secure SSL certificate to vCenter for identification. If the host is upgraded, reinstalled, or the SSL certificate is regenerated or replaced, the new certificate’s thumbprint may not match what vCenter expects. As a result, vCenter marks the host as disconnected or not responding.
This is a security feature to prevent man-in-the-middle attacks and unauthorized access.
Symptoms
- Host status shows “Disconnected” or “Not responding” in vCenter.
- Tasks fail when communicating with the host.
Step-by-Step Fix
There are 4 Simple and Effective ways to fix this issue step-by-step.
Method 1: Try Reconnect Host and Accept New SSL Thumbprint if prompting
- Open vSphere Web Client .
- Right-click the disconnected ESXi host and select Reconnect.
- A prompt will appear to verify and accept the new SSL thumbprint.
- Click Yes to confirm and reconnect the host.
Best for simple thumbprint mismatches after upgrades or reboots. If this doesn’t works try following method .
Method 2: Remove and Re-Add the Host
Note: Use this method only if reconnect fails or SSL trust is broken.
- Right-click the host and select Remove from Inventory.
- Navigate to vCenter > Hosts and Clusters.
- Right-click the desired cluster or datacenter and choose Add Host.
- Enter the ESXi hostname or IP, credentials, and accept the new SSL thumbprint.
Effective when reconnection fails due to persistent certificate mismatch.
Method 3: Regenerate ssl certificate for ESXi Hosts (Effectively working )
Possible error – Self-signed ssl certificate generated by the ESXi Hosts isn’t trusted by the vCenter or other error related to host ssl verified.
To solve this issue you must generate new ssl certificate for esxi hosts managed by HA cluster and make it trusted the thumbprint by reconnecting the hosts to cluster .
- Move esxi host in Maintenance Mode , start ssh service and connect host via putty
- Rename old ssl certificates by following commands.
mv /etc/vmware/ssl/rui.crt /etc/vmware/ssl/rui.crt.old
mv /etc/vmware/ssl/rui.key /etc/vmware/ssl/rui.key.old
- Generate new ssl certificate by following commands.
/sbin/generate-certificates
- Restart hostd and vpxa services by following command.
/etc/init.d/hostd restart
/etc/init.d/vpxa restart
Now check host status in vcenter , in a while, it will show as disconnected.
Connect the host by entering root credentials, it will prompt for new ssl certificate verification, click “yes” to replace the host certificate with new cert and verify.
Method 4: Check and Match Thumbprint Manually
- SSH into the ESXi host.
- Run the following command:
openssl x509 -in /etc/vmware/ssl/rui.crt -noout -fingerprint -sha1- Note the SHA1 thumbprint.
- Compare it with what vCenter expects (visible in vCenter logs or error message).
- If mismatched, follow Method 1 or 2.
Conclusion
SSL thumbprint mismatches in VMware ESXi hosts are common after upgrades or certificate changes. Luckily, fixing them is straightforward by simply accepting the new certificate, re-adding the host to vCenter or re-generating the new ssl certificate for host. Always ensure that the host’s identity is verified before accepting a new SSL thumbprint to maintain security in your virtual environment.
If the issue persists, check VMware logs for further troubleshooting.
