VMware Cloud Community
Vguitarist
Contributor
Contributor

How Do I Fix The VSphere Web Client Certificate Error?

Hello,

I have a bare metal ESXI 6.7 host in a home lab for training purposes. I do not have VCenter. How do I get rid of the browser certificate error when using the web client?

-VGuitarist

11 Replies
IRIX201110141
Champion
Champion

If you point your browser directly to an ESXi Host you use the "Host Client" and not the adobe flex based "Web Client" which is offered as part of the vCenter.

Take a look to  Certificate errors when accessing vSphere web client on 6.5 (Hypervisor)  to the last post which also give you the answer when connecting to the Host Client. If you use Internet Explorer you have to add the Cert to the Windows Cert Store which is part of the OS. Mozilla FF use its own certificate store.

As a second solution you can swap the ESXi default Cert to a self signed one (Not the easiest step!).

Regards,

Joerg

Reply
0 Kudos
dscish
Contributor
Contributor

I'm in the exact same situation and I've spent two days looking for a solution with no luck. I thought I'd bump this thead rather than create an identical question myself.

Some details on the test rig:

- single bare metal host running ESXi 6.7

- single PC acting as a client (Win 10), running Chrome web browser and connecting to the host by typing in the host IP address in the browser

- no vCenter and no other VMWare products are installed

On the host I've renamed it to "server3", then ran a command from ssh shell to regenerate the ssl certs, so they look fine if I view them in the web client (CN=server3).

After typing in the IP address of the host I get the usual certificate invalid error, I pick the option to continue to the login screen, then right click on the web browser address field where it says "Invalid certificate", then choose copy cert contents to file, then save that as a .crt file, then I install this in the Trusted Root Authority folder. I've also tried running an WinSCP session and copied over the original host cert "rui.crt" and installed that as well, although I'm fairly sure it's the same cert. With those two installed I still get the invalid cert message, but it now says:

"The issuer of this certificate could not be found"

Which makes sense as the issuer is actually unknow, but I've got no idea what to do to make this work. Is it even possible to resolve without moving over to my own self signed certs? I've logged a ticket with VMware, but I'm fairly sure they'll just come back with a load of unrelated info, or send me links to articles which mention a solution for when you are using vCenter. Every single tutorial I've found suggests going over to the vCenter webpage, then picking the link for "download certs", but of course if you haven't got vCenter, you're not going to get those links.

Rgrds,

T.

Reply
0 Kudos
dscish
Contributor
Contributor

Finally realised I was copying over the wrong cert :smileyconfused: you need to copy over the castore.pem cert, not the rui.cert one. Anyways, here's a short procedure which might help someone:

- go to your ESXi host, open Configure Management Network, open DNS Configuration, set hostname to whatever your desired name is (server3 in this case). Esc out of the settings back to the main screen saving the network configuration when prompted

- Alt+F1 to go into console (Alt+F2 to get out of it), log in as root and run the following to regenerate certs for the new host name:

cd /etc/vmware/ssl

/sbin/generate-certificates

reboot

- when the host is up and running, use WinSCP (or some other method) to copy the castore.pem from the /etc/vmware/ssl folder on the host to your local workstation. Hit start menu button on the workstation, start typing certif... and pick Manage computer ceritifactes, then in the left hand side list pick Trusted Root Ceritifaction Authorities / Ceritifactes, then on the list on the right, right click and pick All Tasks->Import. Select the downloaded castore.pem (select to view All files rather than crt only) and run through the import process

- open your hosts file (c:\Windows\System32\Drivers\etc\hosts) and insert a new entry with your IP address and hostname

- open up your browser and type in http://[hostname] which should open up the vsphere client login webpage with a valid cert and no issues

Tags (1)
gpcsnet
Contributor
Contributor

And after this if you don't have login page try this:

After Installing ESXi, Once pressed Alt + F1 blank screen

Reply
0 Kudos
engr263
Contributor
Contributor

Thank you so much! This was bugging me so much and I spent a few hours here and there trying to fix it but this solved my problem! The only thing I stumbled on was to make sure was that the host/domain from ESXI was exactly the same as in my /etc/host file.

Again, many many thanks. Smiley Happy:smileycool:Smiley Happy

Reply
0 Kudos
NathanosBlightc
Commander
Commander

Check the following link as the instruction of replacing ESXi self-signed certificate:

Replace the Default Certificate and Key from the ESXi Shell

Please mark my comment as the Correct Answer if this solution resolved your problem
Reply
0 Kudos
Cyrilweb
Contributor
Contributor

dscish​ Merci !! / Thank you  Smiley Happy

Reply
0 Kudos
Dudleydoggg
Contributor
Contributor

This works just fine but only for the IP the hostname is not in the certificate what did I miss?

Vmware Trials Are the Bomb
Reply
0 Kudos
daphnissov
Immortal
Immortal

The hostname will not be encoded in the default certificate, only the IP. You can replace the default certificate with a custom one of your choosing and specify the hostname in the CN field.

Reply
0 Kudos
nachogonzalez
Commander
Commander

HAve you installed the host's self signed certificate into windows?

Reply
0 Kudos
Kalamchi
Contributor
Contributor

Hi Guys,

I have installed a proper trusted wildcard SSL that we use for our domain. The ESXi host FQDN is within our domain. ESXi shows that it has the correct SSL certificate and it's valid until 2022:

Kalamchi_0-1611832346536.png

Yet the browsers (any of them) still show that the connection is not secure ?

I have rebooted the host after uploading the cert and key via SSH. Yet still the same complaint in the broswers.

 

The host is bare metal ESXi 6.5, no vCenter.

Any advice ?

Thanks

Reply
0 Kudos