The ESXi host fails to establish a connection with vCenter because the vpxa service failing and creating vpxa-zdump.
search cancel

The ESXi host fails to establish a connection with vCenter because the vpxa service failing and creating vpxa-zdump.

book

Article ID: 419343

calendar_today

Updated On:

Products

VMware vSphere ESXi 8.0 VMware vCenter Server 8.0

Issue/Introduction

  • ESXi host is disconnected/Not Responding from the vCenter server.
  • Review the hostd service status and observe if the status is down: /etc/init.d/hostd status
  • mp files generated in /var/core/ Location.
    Ex. MM DD HH:MM vpxa-zdump.000
        MM DD HH:MM vpxa-zdump.001

  • After Attempting to manually start vpxa service and the service starts and fails after some time.
  • The below errors were observed in /var/run/log/vpxa.log, where the handshake between the ESXi and vCenter fails due to an invalid ESXi host certificate:
    YYYY-MM-DDTHH:MM:SSZ In(166) Vpxa[15561258]: [Originator@6876 sub=Default] Vmacore::InitSSL: handshakeTimeoutUs = 20000000
    YYYY-MM-DDTHH:MM:SSZ In(166) Vpxa[15561258]: [Originator@6876 sub=Default] Service is running in FIPS mode.
    YYYY-MM-DDTHH:MM:SSZ In(166) Vpxa[15561258]: [Originator@6876 sub=Default] [Vpxd_EarlyInit] Setting malloc mmap threshold to 32KB
    YYYY-MM-DDTHH:MM:SSZ In(166) Vpxa[15561258]: [Originator@6876 sub=Default] Creating SSL Contexts
    YYYY-MM-DDTHH:MM:SSZ Er(163) Vpxa[15561258]: [Originator@6876 sub=Default] Failed to initialize the SSL context: N7Vmacore6Crypto15CryptoExceptionE(Crypto Exception: error:80000002:system library::No such file or directory: unable to load BIO)
    YYYY-MM-DDTHH:MM:SSZ Er(163) Vpxa[15561258]: -->[context]zKq7AVICAgAAANVUewEKdnB4YQAA88lHbGlidm1hY29yZS5zbwAAxSY3AFIzIQBVMzcAMjY3Abq0HnZweGEAAf2JIgFwKBoCPTQCbGliYy5zby42AAGaxxs=[/context]
    YYYY-MM-DDTHH:MM:SSZ Cr(162) Vpxa[15561258]: [Originator@6876 sub=Default]
    YYYY-MM-DDTHH:MM:SSZ Cr(162) Vpxa[15561258]: -->
    YYYY-MM-DDTHH:MM:SSZ Cr(162) Vpxa[15561258]: --> Panic: Failed to initialize the SSL context.
    YYYY-MM-DDTHH:MM:SSZ Cr(162) Vpxa[15561258]: --> Backtrace:
    YYYY-MM-DDTHH:MM:SSZ Cr(162) Vpxa[15561258]: --> [backtrace begin] product: VMware ESXi, version: 8.0.X, build: build-XXXXXXXX, tag: vpxa, cpu: x86_64, os: esx, buildType: release
  • vmkwarning.log
    YYYY-MM-DDTHH:MM:SSZ Al(177) vmkalert: cpu12:15300376)ALERT: SSL certificates are invalid

Environment

VMware ESXi 8.x

Cause

Issue is  caused due to an invalid SSL certificate on the ESXi host.

Resolution

1) Regenerate the ESXi self-signed certificate using the following command:
/sbin/generate-certificates

2) Restart the hostd and vpxa services
/etc/init.d/hostd restart && /etc/init.d/vpxa restart

As the hostd service is up, the ESXi host can now be reconnected back to the vCenter server.

  • You may use the below steps to renew any custom certs of the ESXi. 

Use vCert - Scripted vCenter expired certificate replacement to replace the ESXi custom cert.

1. Navigate through the following options:

    1. ESXi certificate operations

    1. Replace ESXi certificate

    1. Import CA-signed certificate and key

2. Provide the required details:

Enter FQDN or IP of the ESXi host: Enter the IP or the FQDN of the ESXi.

Enter root password for ESXi host: Enter The Root Password.

Enter path to new ESXi certificate:  location and the file name (eg. /tmp/key/rui.crt) 

3. After replacing the ESXi certificates:

  1. Run the following command on the ESXi host to save the new certificate and key to the bootbank: /bin/auto-backup.sh

  2. Restart the Management Agents (rhttpproxy, hostd, vpxa).

  3. Disconnect and reconnect the host in vCenter to update the certificate information in the vCenter database.

Additional Information

The ESXi host fails to establish a connection with vCenter because the Hostd service failed to start

Powered by Wolken Software