ESXi host disconnected from vCenter due to invalid or expired SSL certificate and ESXi host client is inaccessible.
search cancel

ESXi host disconnected from vCenter due to invalid or expired SSL certificate and ESXi host client is inaccessible.

book

Article ID: 414244

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

  • ESXi host is in a disconnected state within vCenter.
  • On the vCenter UI Summary page, following alert is reported: "Disconnected from host. Reason: Cannot verify the SSL trust."
  • In the ESXi Host Client UI, the message “no healthy upstream” is displayed.
  • DCUI is accessible for the impacted Host.
  • The hostd service is not running, and attempts to restart it are unsuccessful, as it starts briefly and then stops again.
  • The following error messages are found in /var/run/log/hostd.log:
    YYYY-MM-DDTHH:MM:SS Er Hostd[]: [Originator@yyyy sub=Solo] Failed to create SSL context: N7Vmacore3Ssl12SSLExceptionE(SSL Exception: error:x509 certificate routines::no certificate or crl found)

Environment

vSphere ESXi 8.x

Cause

An expired or invalid SSL certificate on an ESXi host can cause the hostd management agent to fail, preventing vCenter communication and the vSphere Host Client UI inaccessible. 

Resolution

Regenerate the host’s SSL certificate through the Direct Console User Interface (DCUI).

  • Accessing troubleshooting options:
    From the main DCUI screen, press F2 to open the “Customize the System” menu.
    Enter the root password when prompted to log in.
    Use the arrow keys to navigate to Troubleshooting Options and press Enter.
    Select Enable ESXi Shell and press Enter to allow local shell access.
    From the main DCUI screen, press Alt + F1 to switch to the shell and Alt + F2 to return to the DCUI.

  • Retrieve certificate information
    Run the following command on ESXi Host fo get certificate information: openssl s_client -connect <esxi_host_ip>:443 -showcerts

    The following error is displayed if the certificate is expired, untrusted, or the certificate chain is incomplete: Verification error: unable to verify the first certificate

  • Backup or rename existing certificates
    mv /etc/vmware/ssl/rui.crt /etc/vmware/ssl/orig.rui.crt
    mv /etc/vmware/ssl/rui.key /etc/vmware/ssl/orig.rui.key

  • Generate new certificates
    /sbin/generate-certificates

  • Verify certificate creation
    ls -la /etc/vmware/ssl/

  • Restart management services or reboot the host
    /etc/init.d/hostd restart
    /etc/init.d/vpxa restart

  • Reconnect the host in vCenter Server
Powered by Wolken Software