VMware Cloud Community
VSprague
Hot Shot
Hot Shot
‎06-02-2017 12:01 PM

Unable to login to VCenter 4.1 after installing security updates

After installing security patches on several servers I'm unable to login to VCenter 4.1 from those servers (2008 R2) and I'm receiving this message.

---------------------------
Could Not Connect
---------------------------
vSphere Client could not connect to "vcenter01".

An unknown connection error occurred. (The request failed due to an SSL error. (The request was aborted: Could not create SSL/TLS secure channel.))
---------------------------
OK  
---------------------------

For security reasons I cannot back out the security patches and unfortunately I cannot upgrade the environment to 5.x either so I'm in need of a suitable workaround to this issue.

0 Kudos
12 Replies
rcporto
Leadership
Leadership
‎06-02-2017 07:58 PM

Can you confirm if your vCenter Server certificate has a key of at least 1024 bits? If it still have a 512 bits key, you can try the workaround from that another thread: Re: KB3161608 (KB3161639) breaks vSphere Client inventory search

---

Richardson Porto
Senior Infrastructure Specialist
LinkedIn: http://linkedin.com/in/richardsonporto
0 Kudos
VSprague
Hot Shot
Hot Shot
‎06-05-2017 10:32 AM

I tried that and it did not make a difference.

I created the key "Diffie-Hellman" under KeyExchangeAlgorithms and then I created the "ClientMinKeyBitLength" DWORD value inside of that key. The VSphere client gives me the same error as before and refuses to let me login.

0 Kudos
rcporto
Leadership
Leadership
‎06-05-2017 10:40 AM

Did you rebooted the server after the registry changes?

---

Richardson Porto
Senior Infrastructure Specialist
LinkedIn: http://linkedin.com/in/richardsonporto
0 Kudos
VSprague
Hot Shot
Hot Shot
‎06-05-2017 12:17 PM

Yes, I rebooted the client machine and afterwards attempted to login to vsphere again and received the same error.

0 Kudos
msripada
Virtuoso
Virtuoso
‎06-05-2017 12:27 PM

Hello vSprague,

Can you check the windows updates which are installed mentioned in the below kb

“The request was aborted: Could not create SSL/TLS secure channel.” Error when connecting to vCenter...

Thanks,

MS

0 Kudos
VSprague
Hot Shot
Hot Shot
‎06-05-2017 01:58 PM

I found that article earlier however it specifically said it applied to VCenter 5.1 and 5.5 and for this environment I'm trying to access VCenter 4.1 and I did not think that the process for 4.1 was the same as 5.x.

Also, the patches mentioned in that article are not on this system.

The patches that I installed that ultimately broke this were:

KB2803821

KB2847077

KB4012202

KB4019264

0 Kudos
msripada
Virtuoso
Virtuoso
‎06-05-2017 04:20 PM

Have you tried accessing vcenter from different windows box and check if that works?

Thanks,

MS

0 Kudos
VSprague
Hot Shot
Hot Shot
‎06-06-2017 08:13 AM

Any Windows machines that are up to date won't connect and kick back that same error. The VCenter server itself isn't fully updated yet and I can connect fine. Rolling back patches on these servers is not an option so I need to find a way to fix it.

0 Kudos
SteveGiles78
Contributor
Contributor
‎06-15-2017 11:47 AM

I am having the exact same issue and also cannot upgrade at this time. Did you happen to get this issue resolved?

0 Kudos
VSprague
Hot Shot
Hot Shot
‎08-17-2017 06:17 AM

Unfortunately I have yet to find a working solution.

0 Kudos
bhwong7
Contributor
Contributor
‎07-29-2018 11:54 PM

download: http://slproweb.com/download/Win64OpenSSL_Light-1_1_0h.exe

create archive subfolder and move all SSL Cert files in C:\ProgramData\VMware\VMware VirtualCenter\SSL into this folder.

copy C:\OpenSSL-Win64\bin\PEM\demoCA to C:\OpenSSL-Win64\bin

Run the following commands:

1. cd OpenSSL-Win64\bin

2. set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg 

3. openssl genrsa 2048 > rui.key

4. openssl req -new -key rui.key > rui.csr

5. openssl.exe req -new -x509 -days 3650 -sha1 -nodes -key rui.key -out rui.crt -subj "/C=XX/ST=YY/L=ZZ/CN=vCenterName"
(XX = City, YY = State, ZZ = Country. vCenterName = your vCenter hostname)

6. openssl.exe pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx

copy all rui.* into C:\ProgramData\VMware\VMware VirtualCenter\SSL and C:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL

run C:\Program Files (x86)\VMware\Infrastructure\Update Manager\VMwareUpdateManagerUtility.exe

restart vCenter and update manager services

Reference:

https://kb.vmware.com/s/article/1009092

https://kb.vmware.com/s/article/1023011

0 Kudos