ESXi management agents crash after replacing SSL certificate on host.

When ESXi isn’t part of vCenter then the only method of replacing ESXi certs is use to web ui (https://esxi/ui) OR using shell (SSH).
This method doesn’t check the integrity of acquire certificates. If there are some issues with certs then management agents (e.g. hostd serivce) wouldn’t start.

Following lines can be seen in hostd.log

2019-07-31T19:09:37.227Z panic hostd[FFDDCB20] [Originator@6876 sub=Default] error: N7Vmacore3Ssl12SSLExceptionE(SSL Exception: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
2019-07-31T19:09:37.229Z panic hostd[FFDDCB20] [Originator@6876 sub=Default] backtrace:
-->
-->
--> [backtrace begin] product: VMware ESX, version: 6.0.0, build: build-9239799, tag: hostd
--> backtrace[00] libvmacore.so[0x00339BD3]: Vmacore::System::Stacktrace::CaptureWork(unsigned int)
--> backtrace[01] libvmacore.so[0x001479A9]: Vmacore::System::SystemFactoryImpl::CreateQuickBacktrace(Vmacore::Ref&)
--> backtrace[02] libvmacore.so[0x000F0835]: Vmacore::Throwable::Throwable(std::string const&)
--> backtrace[03] libvmacore.so[0x001695BC]
--> backtrace[04] libvmacore.so[0x00228025]
--> backtrace[05] libvmacore.so[0x00228484]
--> backtrace[06] libvmacore.so[0x0022E476]: Vmacore::Ssl::CreateSSLContext(Vmacore::Crypto::KeyStore*, Vmacore::Ssl::SupportedVersion, bool, Vmacore::Ref&)
--> backtrace[07] hostd[0x0037CEC5]
--> backtrace[08] hostd[0x0037D21D]
--> backtrace[09] hostd[0x0037DFEE]
--> backtrace[10] libvmacore.so[0x0010DA35]
--> backtrace[11] hostd[0x00ED63E1]
--> backtrace[12] hostd[0x00ECE918]
--> backtrace[13] hostd[0x003013CB]
--> backtrace[14] libc.so.6[0x00018B67]
--> backtrace[15] hostd[0x00303315]
--> [backtrace end]

 

The solution is to replace existing incorrect certs with self sign certificate.

  • Take SSH access to host.
  • Take backup (rename) of existing certificate.
[root@esxi-2:/etc/vmware/ssl] mv rui.crt orig.rui.crt
[root@esxi-2:/etc/vmware/ssl] mv rui.key orig.rui.key
  • Execute following command to generate self-signed certificate
/sbin/generate-certificates
  • Restart the management agents OR reboot the host.
services.sh restart

This should make ESXi in working condition.