My environment:

vSphere Client version 7.0.2.00500
ESXi client version: 1.34.8
ESXi client build number: 17417756
ESXi version: 7.0.2
ESXi build number: 17867351

In vSphere client UI I connected a single ESXi host to a datacenter.

I assigned a license and set lockdown mode to "disabled".

It worked as expected e.g. VM consoles were only available in vSphere and not directly on the ESXi host.

When I disconnected (Datacenter -> myhost -> right click -> Connection -> Disconnect) I could no longer use host's web GUI directly: "Unknown error on logout".

Root user was not locked:

[root@myhost:~] pam_tally2 --user root
Login Failures Latest failure From
root 0

I went back to web GUI to see "Please refresh your browser" and after refreshing "Your connection is not private".

It turned out that both our custom SSL certificate files (wildcard SAN multidomain) - rui.key, rui.crt were automatically reverted to the factory defaults.

Is it a normal behaviour?

They were supposed to be saved beforehand and the file was there:

[root@myhost:~] cat /etc/vmware/ssl/rui.log
#
# Host private key and certificate backup from 2021-11-12 13:53:15.923
#

-----BEGIN PRIVATE KEY-----
(...)
-----END PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
(...)
-----END CERTIFICATE-----

Unfortunately both the key and the certificate were exactly the same as the factory default so this clearly went wrong.

I can put our cert files back and restart management agents from DCUI (no downtime) but it's still quite annoying.

Any ideas?