BugZero | VMware BugID 95028 - VMRC Fails to Connect due to SSL Negotiation Error

VMware - Defect ID: 95028

VMRC Fails to Connect due to SSL Negotiation Error

VMware - Defect ID: 95028

VMRC Fails to Connect due to SSL Negotiation Error

Last updated on 11/2/2023

Overall: 0N/A

Severity: 0N/A

Community: 0N/A

Lifecycle: 0N/A

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 0N/A

Severity: 0N/A

Community: 0N/A

Lifecycle: 0N/A

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptoms

VMRC fails to connect, however, the Web Consoles may work just fineThis often occurs after an upgrade to VMware Cloud Director version 10.4.XThe VMRC failures can be identified in the console-proxy logs, a failed VMRC console may present a similar log sequence as shown below: 2023-09-22T09:07:14.345Z In(05) main REMOTEMKS: expected thumbprint for remote display: 90:D8:73:1B:4A:72:46:15:A9:2F:72:92:F9:a1:30:72:B9:A8:FC:C12023-09-22T09:07:14.345Z In(05) main SOCKET connect to wss://labs-cloud.vmware.com:4432023-09-22T09:07:14.345Z In(05) main SOCKET webSocket's hostname: labs-cloud.vmware.com2023-09-22T09:07:14.382Z In(05) main SOCKET creating new IPv4 socket, connecting to 10.21.6.21:443 (labs-cloud.vmware.com)2023-09-22T09:07:14.390Z In(05) main PollSocketPairConnect: Blocking socket 1184 connected immediately!2023-09-22T09:07:14.390Z In(05) main PollSocketPairConnect: Blocking socket 1196 connected immediately!2023-09-22T09:07:14.411Z In(05) main MKSRoleMain: PowerOn finished.2023-09-22T09:07:14.419Z In(05) mks MKSControlMgr: connected2023-09-22T09:07:14.422Z In(05) mks MKS-VMDB: VMDB requested a screenshot2023-09-22T09:07:14.422Z In(05) svga MKSScreenShotMgr: Taking a screenshot2023-09-22T09:07:14.427Z In(05) mks KHBKL: Unable to parse keystring at: ''2023-09-22T09:07:14.429Z In(05) mks KHBKL: Unable to parse keystring at: ''2023-09-22T09:07:14.505Z Wa(03) mks SSL: Unknown SSL Error2023-09-22T09:07:14.505Z In(05) mks SSL Error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed2023-09-22T09:07:14.505Z Wa(03) mks SOCKET 2 (1164) Could not negotiate SSL2023-09-22T09:07:14.505Z Wa(03)+ mks The remote host certificate has these problems:2023-09-22T09:07:14.505Z Wa(03)+ mks2023-09-22T09:07:14.505Z Wa(03)+ mks * self signed certificate in certificate chain2023-09-22T09:07:14.506Z Wa(03) mks SOCKET 2 (1164) Expected thumbprint doesn't match actual thumbprint.2023-09-22T09:07:14.506Z Wa(03) mks Expected thumbprint is: 90:D8:73:1B:4A:72:46:15:A9:2F:72:92:F9:a1:30:72:B9:A8:FC:C12023-09-22T09:07:14.506Z Wa(03)+ mks Actual thumbprint is: 69:63:E6:cc:60:21:5F:98:BD:4A:FC:37:BE:ff:C3:c0:A6:3A:B7:5F2023-09-22T09:07:14.506Z Wa(03) mks SOCKET 2 (1164) Cannot verify target host.2023-09-22T09:07:14.506Z Wa(03) mks MVNCClient: received socket error 13: Connection error: could not negotiate SSL2023-09-22T09:07:14.506Z In(05) mks MVNCClient: Setting vncClient.mksConnectionError, previous error is 0, new error is 12023-09-22T09:07:14.506Z In(05) mks MVNCClient: Destroying VNC Client socket.2023-09-22T09:07:14.506Z In(05) mks MKSRoleMain: Disconnected from server (error=1)2023-09-22T09:07:14.506Z In(05) mks MKS-RoleRemote: Disconnected from server with error code 1.2023-09-22T09:07:14.506Z In(05) mks MKSThread: Requesting MKS exit 2023-09-22T09:07:14.506Z In(05) main Stopping MKS/SVGA threads

Purpose

This KB is intended to resolve issues with VMRC consoles after upgrading to version 10.4.X

Cause

VMRC connection failures on version 10.4.X are usually attributed to a thumbprint mismatch -- this happens when the expected thumbprint for the VMRC console does not match the actual thumbprint presentedThe thumbprint mismatch occurs because the certificate in the Administration > Settings > Public Addresses tab is incomplete, out of order, or otherwise corruptThe certificate imported to the Administration > Settings > Public Addresses tab must include the full chain as well as the correct endpoint certificate

Impact / Risks

VMRC consoles will be inaccessible due to the thumbprint mismatch

Resolution

The best way to resolve this issue is to validate the quality of the certificate chain, then import that chain via the built-in UI functionality to the Administration > Settings > Public Addresses tab. This can be done as follows: Review the /opt/vmware/vcloud-director/etc/global.properties file to identify the location of the HTTPS certificate. This path is referenced by the entry labeled "user.certificate.path". The default path is /opt/vmware/vcloud-director/etc/user.http.pemCopy the certificate from the path identified in step 1 to your workstationNavigate to the Provider portal and go to Administration > Settings > Public AddressesClick the "Edit" button at the top of page. Then proceed to click the "Replace Certificate File" button and upload the certificate from step 1Save this configuration for the Web Portal and API endpoint.Test VMRC again to see if the same issue occurs

Original Vendor Announcement

No bugs this month

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

VMware - Defect ID: 95028

VMRC Fails to Connect due to SSL Negotiation Error

VMware - Defect ID: 95028

VMRC Fails to Connect due to SSL Negotiation Error

Last updated on 11/2/2023

Vendor details

Vendor details

Description

Symptoms

Purpose

Cause

Impact / Risks

Resolution

Links

Top VMware defects by risk score

Ready to prevent the next vendor outage?