ESXi host SSL vulnerability on port 9080
Article ID: 392412
Updated On:
Products
VMware vSphere ESXi
VMware vSphere ESXi 7.0
VMware vSphere ESXi 8.0
Issue/Introduction
A vulnerability scan returns a "Network-Protocol/TLS/TLS Server Cert" on port 9080/TCP issue on ESXi hosts.
Environment
- VMware vSphere ESXi 7.x
- VMware vSphere ESXi 8.x
Cause
The iofiltervp.pem certificate of the hosts doesn't match with the rui.crt ESXi host certificate.
Resolution
- If the
iofiltervp.pemcertificate is expired:
- Renew the I/O filter certificate by performing the steps mentioned in the KB: Certain IOFIlter Providers are showing as offline
- Renew the I/O filter certificate by performing the steps mentioned in the KB: Certain IOFIlter Providers are showing as offline
- If the
iofiltervp.pemandrui.crtinformation are different:-
Take a backup of the existing
iofiltervp.pemfilecd /etc/vmware/sslmv iofiltervp.pem oldiofiltervp.pem.bak
-
Copy the information inside
rui.crtandrui.keyfile of the host from the following location/etc/vmware/ssl
-
Create a new
iofiltervp.pemfile using vi editor,vi iofiltervp.pem
- Paste the
rui.crtfollowed by therui.keyin the blankiofiltervp.pemfile and save the file -
Restart the iofilter service with the command:
/etc/init.d/iofiltervpd restart
-
- Perform the vulnerability scan on the ESXi
Feedback
Yes
No
Powered by
