3 Replies Latest reply on Feb 8, 2019 9:44 PM by wkksol

    ESXi management daemons crash after replacing SSL certificate

    h3artbl33d Lurker

      I've installed an ESXi evaluation and stumbled upon a bug. Reported it to @vmwarecares on Twitter and they've told me to report it here. This isn't a question, but merely a bug report to the development department. I couldn't submit this through the support page, as evaluations aren't listed (it requires to select a product, but there are none for that reason).

       

      Product: VMware ESXi Version: 6.5.0 (Build 5224529) - Image profile: ESXi-6.5.0-4564106-standard (VMware, Inc.)

      Category: BUG

      Behaviour: When an invalid SSL certificate is uploaded through the vSphere web client, it's refused but applied nevertheless, crashing any and all of the management daemons.

      Expected behaviour: When an invalid SSL certificate is uploaded through the vSphere web client, vSphere web client throws an error.

      Steps to reproduce:

       

      1. Login to the vSphere web client (https://{$IP}).
      2. Navigate to Host -> Manage -> Security & Users -> Certificates.
      3. Click 'Import new certificate'.
      4. Import any, single PEM encoded certificate.
      5. vSphere will throw an error, rejecting the certificate.
      6. Wait a few minutes.
      7. Refresh the web client (hard refresh!), it will refuse the connection.
      8. Login to the SSH daemon, most management actions will be impossible (eg, vim-cmd, esxcli, will throw an refused connection error).

       

      Steps to diagnose:

       

      1. The VPXA log (/var/log/vpxa.log) contains this line:
        [Originator@6876 sub=Default] Failed to initialize the SSL context: N7Vmacore3Ssl12SSLExceptionE(SSL Exception: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch) --> Panic: Failed to initialize the SSL context.

       

      Steps to fix:

       

      1. Execute: /sbin/generate-certificates
      2. Restart the management daemons: services.sh restart