Dunland
Contributor
Contributor

ESXI 6.5 HTTPs/TLs settings need changing - cant view Web UI

Hi All,

Got a stand-alone esxi 6.5 host (no Vcenter) with a couple of live VM's on them. As of the last few weeks i haven't been able to access the Web UI at the example address of (https://192.168.1.2/ui/#/login ). The error message in IE is as shown in the following snippet:

esxi 6.5 error tls.PNG

I have followed a few guides including:

To disable TLS1.1 - ESXI TLS configuration - Super User

Anyone got any ideas? I feel like this is due to bowsers increasing their security and only allowing certain protocols, but using the guide mentioned, my settings are here:

esxi 6.5 tls settings.PNG

0 Kudos
22 Replies
Dunland
Contributor
Contributor

Hi all,

Anyone got any ideas? No config changes were made on the host or its services for this to occur. Anyone have any next steps to resolve?

0 Kudos
daphnissov
Immortal
Immortal

Does it work in Chrome?

0 Kudos
Dunland
Contributor
Contributor

Hi There,

Interestingly enough - it also fails, but it gives a bit more of a detailed reason why - see screenshot below:

esxi 6.5 error tls CHROME.PNG

0 Kudos
Dunland
Contributor
Contributor

Bump

What am i missing here?

0 Kudos
diegodco31
Leadership
Leadership

Have you tried it on another desktop?

Diego Oliveira LinkedIn: http://www.linkedin.com/in/dcodiego
0 Kudos
Dunland
Contributor
Contributor

It works on an unpatched laptop i have lying around - but all my patched and windows updated devices dont ant to access it.

0 Kudos
TotesHagopes
VMware Employee
VMware Employee

I'd be curious if the versions of Chrome are different between the patches and unpatched laptop. At least compare if that is what could be part of the equation.

On Chrome, you can hit F12 -> Security and see if the certificate details shed any further light.

Separately, can you check the certificate information for your ESXi host and verify the details meet the requirements on our Whitepapers? Requirements for ESXi Certificate Signing Requests

If it meets this, I am suspecting the browser may be the cause.

0 Kudos
Dunland
Contributor
Contributor

So i genuinely think it has to do with the newest versions of Browsers not accepting certain TLS settings from sites. Understandable, but before i start pissing around with certs for a single host i thought i'd ask if anyone else had seen it, if there was a workaround, and if it was a known issue.

On Chrome F12, see the below snippet. It doesnt elt me click on much for it - and the 'all green' makes me giggle when it doesn't trust the page

esxi 6.5 error tls CHROME with f12.PNG

0 Kudos
Dunland
Contributor
Contributor

Also, I havent done any work on the certs connecting up to any CA's or anything - just what comes out of the box.

0 Kudos
pwolf
Enthusiast
Enthusiast

Yes, and that is the reason, why you get this message. If you do a plain vanilla install Vmware ESXi uses certificates signed by an internal CA. You have to import the root certificate of this CA as trusted root into your browsers to avoid error messages. Another option would be to install custom third party certificates from Verisign or another certificate provider.

0 Kudos
Dunland
Contributor
Contributor

Yes pwolf, that would work - but not IE, or Chrome or FF i cant download the cert. See the below screenshot of the options in FF - i cant hit 'view cert':

esxi 6.5 error tls .PNG

0 Kudos
pwolf
Enthusiast
Enthusiast

Firefox says the connection uses:

Unbenannt.JPG

That encryption scheme should be usable in almost any modern browser.

0 Kudos
pwolf
Enthusiast
Enthusiast

And the certificate used for ssl connections you find on the host under /etc/vmware/ssl ,  the rhttpproxy certificate is named rui.crt .

0 Kudos
Dunland
Contributor
Contributor

Hi Pwolf

so, i see your logic. The Cert should be fine.

So i decide to renew the cert - because perhaps it became corrupted. I followed the below guide and it had no impact:

vSphere Documentation Center

esxi 6.5 certs refresh putty.PNG

My next step will be to create a new cert and import it using SCP, as in the below guide - but I dont see how that would be any different:

Replace SSL Certificates on ESXi 6.x/6.5 - VMware - VMLinux

0 Kudos
Dunland
Contributor
Contributor

Next step

I used WIN SCP to download the rui.cert to my local machine and install it. i still get this error (please note the updated date of the self signed cert). As you can see, it has all the required properties, or am i missing something?

Still not liking it. Is my only option to set up a CA and go that way?

esxi 6.5 certs refresh install cert.PNG

=================================================

esxi 6.5 new-Certificate.png

0 Kudos
Dunland
Contributor
Contributor

Next step

Set up my AD domain to have Ca - downloaded the Ca using this guide:

How to obtain a Certificate from a Windows Certificate Authority (CA) | SonicWall

Installed that cert to my esxi host to the loaction /etc/vmware/ssl and guess what - still got the same error in chrome. This isnt a cert issue:

new AD cert.png

0 Kudos
Dunland
Contributor
Contributor

BUMP

New cert

AD CA

No errors on F12 menu ion chrome

still not showing up talking about TLS cipher issues

0 Kudos
Dunland
Contributor
Contributor

BUMP

Nobody able to advise?

0 Kudos
Dunland
Contributor
Contributor

Update

now on all devices i get the following error. Rebooted host to no effect:

esxi 6.5 error port 8309.PNG

0 Kudos