hostd fails to start with a Crypto Exception error
search cancel

hostd fails to start with a Crypto Exception error

book

Article ID: 310444

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Symptoms:
  • Unable to start the hostd process of the ESX/ESXi host.
  • In the hostd.log file, you see entries similar to:

    [2010-05-17 02:10:57.050 F65FC6D0 info 'App'] Vmacore::InitSSL: doVersionCheck = false, handshakeTimeoutUs = 20000000
    [2010-05-17 02:10:57.051 F65FC6D0 panic 'App'] error: Crypto Exception: error:0906D06C:PEM routines:PEM_read_bio:no start line

  • In the hostd.log file, you may also see a backtrace similar to:

    Hostd backtrace with following events after replacing ssl certificate in host.
    error: Crypto Exception: error:0906A068:PEM routines:PEM_do_header:bad password read

  • Unable to add an ESX/ESXi host to vCenter Server
  • You see the error:

    Cannot contact the specified host. The host may not be available on the network, a network configuration problem may exists, or the management services on the host may not be responding

  • The ESX/ESXi host shows as disconnected in vCenter Server


Environment

VMware ESX Server 3.0.x
VMware ESXi 4.1.x Installable
VMware ESXi 3.5.x Embedded
VMware ESX Server 2.0.x
VMware ESXi 4.0.x Installable
VMware ESXi 4.0.x Embedded
VMware ESX Server 1.5.x
VMware ESX 4.0.x
VMware ESXi 3.5.x Installable
VMware ESX Server 2.5.x
VMware ESX Server 3.5.x
VMware ESX Server 2.1.x
VMware ESXi 4.1.x Embedded
VMware vSphere ESXi 5.0
VMware ESX Server 1.x

Resolution

This issue occurs if the self-signed SSL certificates are missing or are not updated after FQDN or Shortname change.
To resolve this issue, you must create a new self-signed certificate on the ESX or ESXi host.
Note: If you are using custom or CA signed certificates, see Replacing vCenter Server Certificates.
To create a new self-signed certificate on the ESX or ESXi host:
  1. Run this command to navigate to the SSL folder:

    cd /etc/vmware/ssl


  2. Run this command to create a folder named backup:

    mkdir backup


  3. Run this command to move the existing SSL certificate files to the backup folder:

    mv rui.* backup

  4. Restart the management agents on the ESX or ESXi host. This creates a new self-signed certificate. For more information, see Restarting the Management agents on an ESX or ESXi Server (1003490).
Note: In ESXi 3.5, ESXi 4.1 and 5.x, if the new self-signed certificates are not created after restarting the management agents, you may have to manually create the certificates. To create new self-signed certificates:
  1. Change to sbin directory

    # cd /sbin/


  2. Run the generate-certificates.sh script to generate new certificates:

    # ./generate-certificates.sh
For ESXi 5.x, use this command:

# ./generate-certificates

For ESXi 3.5: Run the create_certificates script to generate new certificates:

# ./create_certificates

Note: For ESXi 3.5, restart the the management agents on the host to complete the process. For more information, see Restarting the Management agents on an ESX or ESXi Server (1003490).