VMware Cloud Community
h3artbl33d
Contributor
Contributor
‎04-19-2017 04:04 AM

ESXi management daemons crash after replacing SSL certificate

I've installed an ESXi evaluation and stumbled upon a bug. Reported it to @vmwarecares on Twitter and they've told me to report it here. This isn't a question, but merely a bug report to the development department. I couldn't submit this through the support page, as evaluations aren't listed (it requires to select a product, but there are none for that reason).

Product: VMware ESXi Version: 6.5.0 (Build 5224529) - Image profile: ESXi-6.5.0-4564106-standard (VMware, Inc.)

Category: BUG

Behaviour: When an invalid SSL certificate is uploaded through the vSphere web client, it's refused but applied nevertheless, crashing any and all of the management daemons.

Expected behaviour: When an invalid SSL certificate is uploaded through the vSphere web client, vSphere web client throws an error.

Steps to reproduce:

  1. Login to the vSphere web client (https://{$IP}).
  2. Navigate to Host -> Manage -> Security & Users -> Certificates.
  3. Click 'Import new certificate'.
  4. Import any, single PEM encoded certificate.
  5. vSphere will throw an error, rejecting the certificate.
  6. Wait a few minutes.
  7. Refresh the web client (hard refresh!), it will refuse the connection.
  8. Login to the SSH daemon, most management actions will be impossible (eg, vim-cmd, esxcli, will throw an refused connection error).

Steps to diagnose:

  1. The VPXA log (/var/log/vpxa.log) contains this line:
    [Originator@6876 sub=Default] Failed to initialize the SSL context: N7Vmacore3Ssl12SSLExceptionE(SSL Exception: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch) --> Panic: Failed to initialize the SSL context.

Steps to fix:

  1. Execute: /sbin/generate-certificates
  2. Restart the management daemons: services.sh restart
Tags (1)
3 Replies
Enelass
Contributor
Contributor
‎01-08-2019 04:55 PM

Hello,

Thank you for your post.

I am experiencing the same issue on ESXi 6.7 Lenovo Image (https://my.vmware.com/group/vmware/details?downloadGroup=OEM-ESXI67U1-LENOVO&productId=742)

SSH and ESXi Shell (over KVM) are by default disabled so I'm afraid I'll have to reinstall ESXi from scratch, that is quite a nasty bug and a waste of time.

I'll post another reply, if I find a way to restore the default certificate.

0 Kudos
Enelass
Contributor
Contributor
‎01-08-2019 07:50 PM

I forgot ESXi Shell and SSH can be enabled from the ESXi console: No need to reinstall ESXi

pastedImage_2.pngpastedImage_3.png

Enable SSH from the console and proceed as instructed in the first post to fix the Web Management.

Then follow VMware Knowledge Base (KB / Article 2113926) to install CA signed certificate or sensibly:

- move Base64 or PEM public certificate/key (rui.cer)

- and PKCS8 Private key (rui.key) to /etc/vmware/ssl/

- then restart management (services.sh restart) or ESXi

wkksol
Contributor
Contributor
‎02-08-2019 09:44 PM

OMG thank u so much - this was so helpful

i put a bad certificate in there and i couldn't access the management interfaces -

So to recap - /sbin/generate-certificates will refresh it back to the old certificates and then the services.sh restart will restart the services correct?

Thanks again!

0 Kudos