Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

hostd fails to start with a Crypto Exception error (1021625)

Symptoms

  • Unable to start the hostd process of the ESX/ESXi host.
  • In the hostd.log file, you see entries similar to:

    [2010-05-17 02:10:57.050 F65FC6D0 info 'App'] Vmacore::InitSSL: doVersionCheck = false, handshakeTimeoutUs = 20000000
    [2010-05-17 02:10:57.051 F65FC6D0 panic 'App'] error: Crypto Exception: error:0906D06C:PEM routines:PEM_read_bio:no start line

  • In the hostd.log file, you may also see a backtrace similar to:

    Hostd backtrace with following events after replacing ssl certificate in host.
    error: Crypto Exception: error:0906A068:PEM routines:PEM_do_header:bad password read

  • Unable to add an ESX/ESXi host to vCenter Server
  • You see the error:

    Cannot contact the specified host. The host may not be available on the network, a network configuration problem may exists, or the management services on the host may not be responding

  • The ESX/ESXi host shows as disconnected in vCenter Server

Resolution

This issue occurs if the self-signed SSL certificates are missing or are not updated after FQDN or Shortname change. 
 
To resolve this issue, you must create a new self-signed certificate on the ESX or ESXi host.
 
Note: If you are using custom or CA signed certificates, see Replacing vCenter Server Certificates.
 
To create a new self-signed certificate on the ESX or ESXi host:
  1. Run this command to navigate to the SSL folder:

    cd /etc/vmware/ssl


  2. Run this command to create a folder named backup:

    mkdir backup


  3. Run this command to move the existing SSL certificate files to the backup folder:

    mv rui.* backup

  4. Restart the management agents on the ESX or ESXi host. This creates a new self-signed certificate. For more information, see Restarting the Management agents on an ESX or ESXi Server (1003490).
Note: In ESXi 3.5, ESXi 4.1 and 5.x, if the new self-signed certificates are not created after restarting the management agents, you may have to manually create the certificates. To create new self-signed certificates:
  1. Change to sbin directory

    # cd /sbin/


  2. Run the generate-certificates.sh script to generate new certificates:

    # ./generate-certificates.sh
For ESXi 5.x, use this command:

# ./generate-certificates

For ESXi 3.5: Run the create_certificates script to generate new certificates:

# ./create_certificates

Note: For ESXi 3.5, restart the the management agents on the host to complete the process. For more information, see Restarting the Management agents on an ESX or ESXi Server (1003490).

Update History

08/03/2011 - Updated the Symptoms section with the hostd backtrace error 06/20/2012 - Added command for ESXi 5.x

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 4 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 4 Ratings
Actions
KB: